Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass 6.5 with mac-caching auth an expired user can still connect

This thread has been viewed 3 times

  • 1.  ClearPass 6.5 with mac-caching auth an expired user can still connect

    Posted Aug 19, 2015 10:34 AM

    Hi all,

     

    I'm using CPPM 6.5 for an hotspot SSID with guest self-registration, social login and mac-auth/caching.

    My issue is when a guest account turns expired, the client is still able to access the network and the login status on the access tracker is accept.

     

    In the alert tab I got this message: "Policy server Failed to get value for attributes=[AccountEnabled, AccountExpired]", seems like is not able to read into the Guest user repository DB to look for those values.

     

    I've created the 2 mac authentication rules using the "Guest authantication with mac caching" template.

     

    I've looked around here in the community as well but I'm not able to find anything and I'm stuck with the problem.

     

    Anyone with the same issue?

     

    Thank you.

     

    Cheers,

    Gabriel



  • 2.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    EMPLOYEE
    Posted Aug 19, 2015 10:37 AM

    Do you have the guest user repository as an authorization source for the MAC-auth service?



  • 3.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    Posted Aug 19, 2015 10:41 AM

    Hi Tim,

     

    yes I have as the screenshot below:

     

    Cattura.JPG



  • 4.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    EMPLOYEE
    Posted Aug 19, 2015 11:18 AM
    Please post your role mapping and enforcement policies.


  • 5.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    Posted Aug 19, 2015 11:23 AM

    Sure, here below both screenshot:

    Role.JPG

     

    Enforcement.JPG

    Gabriel



  • 6.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    EMPLOYEE
    Posted Aug 19, 2015 11:30 AM

    Hm. Can you post the access tracker request with the different tabs?



  • 7.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    Posted Aug 20, 2015 03:11 AM

    Here all the  screenshots:

     

    1summary.JPG

    2input.JPG

    2input2.JPG

    2input3.JPG

    3output.JPG

    4Alerts.JPG

     

    Gabriel



  • 8.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    EMPLOYEE
    Posted Aug 20, 2015 09:25 AM

    ClearPass is working as expected. The captive portal role is being returned in the RADIUS response. The problem is on the controller side. Does the Aruba User role match exactly: guestlogin?

     



  • 9.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    Posted Aug 20, 2015 09:34 AM

    Hi Zach,

    as I'm using instant APs managed by Airwave, I can't find where I can configure that into the group instant config tab.

     

    But shouldn't be ClearPass that automatically reject the connection (because the user is expired) and so the client goes on the captive portal? 

     

    Thank you.

    Gabriel



  • 10.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect
    Best Answer

    EMPLOYEE
    Posted Aug 20, 2015 09:46 AM

    Sorry, I made a mistake and edited my post. Can you not configure the guestlogin role in Airwave instant config?



  • 11.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    Posted Aug 20, 2015 09:49 AM

    No worries, here what I found on the Airwave instant configuration:

     

    Role.JPG

    Is that correct?

     

    Thanks,

    Gabriel



  • 12.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    EMPLOYEE
    Posted Aug 20, 2015 09:52 AM

    Looks like you are missing the Enforce Captive Portal rule. Can you add that in Access Rules?



  • 13.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    Posted Aug 20, 2015 10:09 AM

    I don't see any Enforce Captive Portal rule, I can only make my custom rule here ore Role.

     

    I tought it was the guestlogin access rule but actually I've delete it and recover the original config, and added the aruba-user-role parameter into the pre-authentication role, as follow:

    Role.JPG

     

     Thanks,

    Gabriel



  • 14.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    EMPLOYEE
    Posted Aug 20, 2015 10:19 AM

    Ok, you need to upgrade your IAP firmware version. Here is the option if your IAP is running 4.1.1 as this one is (see version at the bottom right):

     

    Screen Shot 2015-08-20 at 10.16.44 AM.png



  • 15.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    Posted Aug 20, 2015 10:41 AM

    I've made the configuration, delete the device mac-address in the endpoint table and disassociated it.

     

    Re-running the test, I'm still facing the same issue, once I change the user created status to "expired" the device is still able to access to the network for the mac caching rule.

    At least I don't have the tab "Alert" more in the access tracker status.

     

    Thank you,

    Gabriel



  • 16.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    EMPLOYEE
    Posted Aug 20, 2015 10:45 AM

    Can you post a screenshot of the Input tab authorization section from access tracker?



  • 17.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    Posted Aug 20, 2015 10:52 AM

    Here they are:

    Input1.JPG

    Input2.JPG

    Input3.JPG

    Input4.JPG

    Thanks,

    Gabriel



  • 18.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    EMPLOYEE
    Posted Aug 20, 2015 10:57 AM

    IIRC we didn't add multiple captive portal roles until Instant 4.x.x. So, even if they are getting this guestlogin role, they won't get a captive portal until you upgrade and add the Captive Portal rule to their role.



  • 19.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    Posted Aug 20, 2015 11:02 AM
    @zjennings wrote:

    IIRC we didn't add multiple captive portal roles until Instant 4.x.x. So, even if they are getting this guestlogin role, they won't get a captive portal until you upgrade and add the Captive Portal rule to their role.

    Zach, is this post for me? I'm running all the latest version on every device in my lab.

     

    Gabriel



  • 20.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    EMPLOYEE
    Posted Aug 20, 2015 12:56 PM

    Yes it was meant for you. If you don't have the option to add a captive portal rule on the user role than something is wrong. Is the enforcement still passing back guestlogin?

     

    What version of AMP are you running? Is the user getting the correct role after their account is expired? Can you search for that MAC address in AMP and show us what the auth history looks like?



  • 21.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    Posted Aug 24, 2015 04:20 AM

    Yes, the radius response still passing it.

     

    I'm using the 8.0.9, and now the device is getting the portal role but it's still having the access.

     

    Thanks,

    Gabriel



  • 22.  RE: ClearPass 6.5 with mac-caching auth an expired user can still connect

    Posted Aug 24, 2015 06:57 AM

    I've made the guestlogin config change and thought about the whole issue, and that was the problem associated at the enforce captive portal rule.

     

    Thank you very much for your support guys.

     

    Have a good one.

     

    Cheers,

    Gabriel