Security

Reply
Frequent Contributor I

CPPM Clients change status in endpointdatabase

Hi

we are using Clearpass Policy Manager 6.5.6.81675.

We do guest access authentication with guest module which was working fine. In last weeks users report that they have to reauthenticate several times a day. Problem is clients are suddenly in status unknown.

I tried this with my private phone. Client ist authenticated an is correctly saved in endpoint database. Status is known. 

After some time client has to reauthenticate. I checked endpoint db an the status is suddenly unknown.

Our configuration at first tries to authenticate via mac authentication and endpoint database. Known clients within 90 days should not forced to relogin via capitve portal. But suddenly this does not work anymore.

 

Guru Elite

Re: CPPM Clients change status in endpointdatabase

Use [Allow All MAC Auth] instead of [MAC Auth]. There is no reason to rely on known vs unknown as there are other attributes that are evaluted as part of the MAC caching policy.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: CPPM Clients change status in endpointdatabase

There are other attributes which are used. There are guest classes which are set by guestmodule. 

Frequent Contributor I

Re: CPPM Clients change status in endpointdatabase

But whats the reason a known client changes its status to unknown?

Re: CPPM Clients change status in endpointdatabase

Under normal conditions, the status in the end-point database only changes because you do that manually or it is done by an enforcement profile (Post Authentication Update Endpoint).

 

Because between the lines it looks like more data is lost from the endpoint, please check under Server Configuration -> Cluster-wide Parameters -> Cleanup intervals, if you may be have configured the cleanup interval for known or unknown endpoints there. If you did, that will remove the entry from the endpoint DB after a time of inactivity. 

 

MAC caching uses the Endpoint Database, and for that reason, the entries should not be cleaned up before the end of your 90 days.

 

Could this be the issue?

 

The default setting of 0 for cleanup will disable cleaning at all for that category.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Frequent Contributor I

Re: CPPM Clients change status in endpointdatabase

Cleanup intervals are configured as you can see in the picture below:

cleanup_intervals.JPG

 

 

Frequent Contributor I

Re: CPPM Clients change status in endpointdatabase

There is a post auth policy which should update status. But it is not woupdate_endpoint.JPGenforcement prof.JPGrking.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: