Security

Hi

I deployed CPPM solution for 802.1X and MAB auth. Everything works but I have one issue - CPPM doesn't responding for requests with bad Password/non-known MAC.

My service & Policies configuration:

Authentication Method Allow All MAC AUTH
Authentication Source Endpoint Repository
Enforcement Type RADIUS
Enforcement Policy (Authentication:MacAuth EQUALS KnownClient) => Enforcement Profile Allow Access Profile
Default Profile Deny Access Profile

1) Above service 'TEST MAC' is configured and my Radius MAC-Auth request matches to that SERVICE Rule which I see in syslog from CPPM and Access-Tracker:

Syslog returns: Service classification result = TEST MAC

Access-Tracker returns:   Output

                                                 Enforcement Profiles: [Deny Access Profile]
                                                 System Posture Status: UNKNOWN (100)
                                                 Audit Posture Status: UNKNOWN (100)

                                            Alerts

                                                 Error Code: 206
                                                 Error Category: Authentication failure
                                                 Error Message: Access denied by policy

                                                 Alerts for this Request
                                                 RADIUS [Endpoints Repository] - localhost: User not found.
                                                 Applied 'Reject' profile

2) Request doesn't match Enforcement Policy, as MAC is not-Known then Enforcement Profile Deny Access Profile is used

And my Radius client doesn't receive any response. Just Radius timeout. I adjusted timeout to even 30 seconds , but no resonse at all. Tested same scenario with FreeRadius which responding Access-Reject to not known user/MAC and I'm expecting same behevior from CPPM. What I should change to archive this ?

I'm using ClearPass Policy Manager 6.5.5.78974

Just want to add that earlier I used below radius-server settings on client/network devices requesting auth with CPPM:

radius-server retransmit 1
radius-server timeout 10

And 10 seconds was to small out of time to wait for CPPM/Radius response. I increased timeout to two minutes (120 seconds) and got ACCEPT-REJECT respone finally but AFTER 31 seconds of waiting!

Can I adjust these timeouts somewhere within CPPM or tell CPPM to respond more quickly ?

I was digging and found source of problem. There is variable 'Reject Packet Delay' (in Security section) of Administration » Server Manager » Server Configuration - CPPM -> Service Parameters -> Radius Server

Default value of this variable is '1' second. If I set here 0 seconds then CPPM Radius sends ACCESS-REJECT asap. If it's set to >0 then CPPM repies after 'Maximum Request Time' + 'Reject Packet Delay' seconds which means 30 + 1 = 31 seconds. But why is takeing care of 'Maximum Request Time' ? Is it bug or expected behavior ?

Rob

Thank you so much for posting your follow-ups!  This was driving me crazy, and if it hadn't been for your post, I very probably would have lost my mind.

I actually logged into this site for the first time just to give kudos to this post, your replies, and to post here to say THANK YOU!