Security

Reply
Occasional Contributor I

CPPM timeout received instead of ACCESS-REJECT

Hi

I deployed CPPM solution for 802.1X and MAB auth. Everything works but I have one issue - CPPM doesn't responding for requests with bad Password/non-known MAC.

 

My service & Policies configuration:

Authentication Method Allow All MAC AUTH
Authentication Source Endpoint Repository
Enforcement Type RADIUS
Enforcement Policy (Authentication:MacAuth EQUALS KnownClient) => Enforcement Profile Allow Access Profile
Default Profile Deny Access Profile

 

1) Above service 'TEST MAC' is configured and my Radius MAC-Auth request matches to that SERVICE Rule which I see in syslog from CPPM and Access-Tracker:

Syslog returnsService classification result = TEST MAC

Access-Tracker returns:   Output

                                                 Enforcement Profiles: [Deny Access Profile]
                                                 System Posture Status: UNKNOWN (100)
                                                 Audit Posture Status: UNKNOWN (100)

                                            Alerts

                                                 Error Code: 206
                                                 Error Category: Authentication failure
                                                 Error Message: Access denied by policy

                                                 Alerts for this Request
                                                 RADIUS [Endpoints Repository] - localhost: User not found.
                                                 Applied 'Reject' profile

 

2) Request doesn't match Enforcement Policy, as MAC is not-Known then Enforcement Profile Deny Access Profile is used

 

And my Radius client doesn't receive any response. Just Radius timeout. I adjusted timeout to even 30 seconds , but no resonse at all. Tested same scenario with FreeRadius which responding Access-Reject to not known user/MAC and I'm expecting same behevior from CPPM. What I should change to archive this ?

 

I'm using ClearPass Policy Manager 6.5.5.78974

 

 

 

Highlighted
Occasional Contributor I

Re: CPPM timeout received instead of ACCESS-REJECT

Just want to add that earlier I used below radius-server settings on client/network devices requesting auth with CPPM:

 

radius-server retransmit 1
radius-server timeout 10

 

And 10 seconds was to small out of time to wait for CPPM/Radius response. I increased timeout to two minutes (120 seconds) and got ACCEPT-REJECT respone finally but AFTER 31 seconds of waiting!

 

Can I adjust these timeouts somewhere within CPPM or tell CPPM to respond more quickly ?

 

 

 

Occasional Contributor I

Re: CPPM timeout received instead of ACCESS-REJECT

I was digging and found source of problem. There is variable 'Reject Packet Delay' (in Security section) of Administration » Server Manager » Server Configuration - CPPM -> Service Parameters -> Radius Server

Default value of this variable is '1' second. If I set here 0 seconds then CPPM Radius sends ACCESS-REJECT asap. If it's set to >0 then CPPM repies after 'Maximum Request Time' + 'Reject Packet Delay' seconds which means 30 + 1 = 31 seconds. But why is takeing care of 'Maximum Request Time' ? Is it bug or expected behavior ?

Rob

 

 

Occasional Contributor I

Re: CPPM timeout received instead of ACCESS-REJECT

Thank you so much for posting your follow-ups!  This was driving me crazy, and if it hadn't been for your post, I very probably would have lost my mind.

 

I actually logged into this site for the first time just to give kudos to this post, your replies, and to post here to say THANK YOU!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: