03-29-2016 11:07 AM
I deployed CPPM solution for 802.1X and MAB auth. Everything works but I have one issue - CPPM doesn't responding for requests with bad Password/non-known MAC.
My service & Policies configuration:
Authentication Method Allow All MAC AUTH
Authentication Source Endpoint Repository
Enforcement Type RADIUS
Enforcement Policy (Authentication:MacAuth EQUALS KnownClient) => Enforcement Profile Allow Access Profile
Default Profile Deny Access Profile
1) Above service 'TEST MAC' is configured and my Radius MAC-Auth request matches to that SERVICE Rule which I see in syslog from CPPM and Access-Tracker:
Syslog returns: Service classification result = TEST MAC
Access-Tracker returns: Output
Enforcement Profiles: [Deny Access Profile]
System Posture Status: UNKNOWN (100)
Audit Posture Status: UNKNOWN (100)
Error Code: 206
Error Category: Authentication failure
Error Message: Access denied by policy
Alerts for this Request
RADIUS [Endpoints Repository] - localhost: User not found.
Applied 'Reject' profile
2) Request doesn't match Enforcement Policy, as MAC is not-Known then Enforcement Profile Deny Access Profile is used
And my Radius client doesn't receive any response. Just Radius timeout. I adjusted timeout to even 30 seconds , but no resonse at all. Tested same scenario with FreeRadius which responding Access-Reject to not known user/MAC and I'm expecting same behevior from CPPM. What I should change to archive this ?
I'm using ClearPass Policy Manager 126.96.36.199974
03-29-2016 12:00 PM
Just want to add that earlier I used below radius-server settings on client/network devices requesting auth with CPPM:
radius-server retransmit 1
radius-server timeout 10
And 10 seconds was to small out of time to wait for CPPM/Radius response. I increased timeout to two minutes (120 seconds) and got ACCEPT-REJECT respone finally but AFTER 31 seconds of waiting!
Can I adjust these timeouts somewhere within CPPM or tell CPPM to respond more quickly ?
03-29-2016 01:14 PM
I was digging and found source of problem. There is variable 'Reject Packet Delay' (in Security section) of Administration » Server Manager » Server Configuration - CPPM -> Service Parameters -> Radius Server
Default value of this variable is '1' second. If I set here 0 seconds then CPPM Radius sends ACCESS-REJECT asap. If it's set to >0 then CPPM repies after 'Maximum Request Time' + 'Reject Packet Delay' seconds which means 30 + 1 = 31 seconds. But why is takeing care of 'Maximum Request Time' ? Is it bug or expected behavior ?
05-13-2016 12:14 PM
Thank you so much for posting your follow-ups! This was driving me crazy, and if it hadn't been for your post, I very probably would have lost my mind.
I actually logged into this site for the first time just to give kudos to this post, your replies, and to post here to say THANK YOU!