Security

Looking for advice on resolving an issue where users are needlessly prompted for authentication.

 

It's a dot1x captive portal. (Clearpass, not Controller)

Mac caching is done on an post-auth enforcement profile. The expiration is set to a period of six months, yet users are prompted to sign in multiple times per day.

 

It would be great if we had a repeatable failure, but so far cannot identify what conditions trigger the issue.

 

Any thoughts or ideas are appreciated

 

 

 

 

 

So the users are using their credentials for 802.1X authentication and then the same credentials again on the captive portal? 

No, let me clarify.

 

The users enter their active directory credentials on a captive portal. Sign in works fine. Then after some period of time, they loose access and are again prompted to sign in. 

 

The goal is to provide session that survives for months at a time.

Can you please post screenshots of your role map and enforcement policies
for your MAC-Auth and Web Login services?

Cappalli,

 

I wish I could be more certain about which profiles and policies are in effect. It looks like the integrator dumped the entire Aruba Solution Exchange into our system. So there are many profiles existing which are not in use.

 

Is there a way I can determine which profiles and policies are at play with a certain SSID?

 

 

 

 

 

 

Easiest way to start troubleshooting is to get a spare laptop and simulate the issues yourself.

 

After authenticating (with AD credentials) you can log onto Clearpass, open Access Tracker and filter for that spare laptops mac address to see all its authentications.

 

That will basically show you what service is used along with alot of other information. Basically Access Tracker is your best bet at troubleshooting authentication issues with Clearpass.

 

 

If your userrs are fiorced to reauthenticate with their AD credentials then surely something is wrong with your MAC authentication.

Do you see any MAC authentications happening in Access Tracker? If not, your MAC auth configuration on the controller or switch is missing! You need this to do MAC caching.

 

If you see alot of rejects, see what service they match. Is this the correct service? If it is, why is it failing?

 

Depending on what you find using this, we will need additional info again.

Koen thanks for the info on access tracker. That helped me find the relevant service for mac auth.

 

The error message seems to suggest something is wrong with the mac caching. "faied to get value for attributes=[Days-Since-Auth]"

 

 

 

You may want to consider rebuilding this to use the MAC-Auth Expiry method instead of Insight.

There should be a MAC authentication service and a RADIUS web login service for this setup. Feel free to post a screenshot of your service list if you can't find them.