12-06-2016 10:35 AM
Looking for advice on resolving an issue where users are needlessly prompted for authentication.
It's a dot1x captive portal. (Clearpass, not Controller)
Mac caching is done on an post-auth enforcement profile. The expiration is set to a period of six months, yet users are prompted to sign in multiple times per day.
It would be great if we had a repeatable failure, but so far cannot identify what conditions trigger the issue.
Any thoughts or ideas are appreciated
12-06-2016 10:38 AM
So the users are using their credentials for 802.1X authentication and then the same credentials again on the captive portal?
12-06-2016 10:51 AM
No, let me clarify.
The users enter their active directory credentials on a captive portal. Sign in works fine. Then after some period of time, they loose access and are again prompted to sign in.
The goal is to provide session that survives for months at a time.
12-06-2016 10:53 AM
for your MAC-Auth and Web Login services?
12-06-2016 02:43 PM
I wish I could be more certain about which profiles and policies are in effect. It looks like the integrator dumped the entire Aruba Solution Exchange into our system. So there are many profiles existing which are not in use.
Is there a way I can determine which profiles and policies are at play with a certain SSID?
12-07-2016 07:19 AM
Easiest way to start troubleshooting is to get a spare laptop and simulate the issues yourself.
After authenticating (with AD credentials) you can log onto Clearpass, open Access Tracker and filter for that spare laptops mac address to see all its authentications.
That will basically show you what service is used along with alot of other information. Basically Access Tracker is your best bet at troubleshooting authentication issues with Clearpass.
If your userrs are fiorced to reauthenticate with their AD credentials then surely something is wrong with your MAC authentication.
Do you see any MAC authentications happening in Access Tracker? If not, your MAC auth configuration on the controller or switch is missing! You need this to do MAC caching.
If you see alot of rejects, see what service they match. Is this the correct service? If it is, why is it failing?
Depending on what you find using this, we will need additional info again.
-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
12-07-2016 07:31 AM
There should be a MAC authentication service and a RADIUS web login service for this setup. Feel free to post a screenshot of your service list if you can't find them.
12-07-2016 09:11 AM
12-07-2016 09:24 AM
You may want to consider rebuilding this to use the MAC-Auth Expiry method instead of Insight.