Security

Reply
Contributor I
Posts: 20
Registered: ‎08-10-2015

ClearPass 6.5 with mac-caching auth an expired user can still connect

Hi all,

 

I'm using CPPM 6.5 for an hotspot SSID with guest self-registration, social login and mac-auth/caching.

My issue is when a guest account turns expired, the client is still able to access the network and the login status on the access tracker is accept.

 

In the alert tab I got this message: "Policy server Failed to get value for attributes=[AccountEnabled, AccountExpired]", seems like is not able to read into the Guest user repository DB to look for those values.

 

I've created the 2 mac authentication rules using the "Guest authantication with mac caching" template.

 

I've looked around here in the community as well but I'm not able to find anything and I'm stuck with the problem.

 

Anyone with the same issue?

 

Thank you.

 

Cheers,

Gabriel

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Do you have the guest user repository as an authorization source for the MAC-auth service?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 20
Registered: ‎08-10-2015

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Hi Tim,

 

yes I have as the screenshot below:

 

Cattura.JPG

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Please post your role mapping and enforcement policies.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 20
Registered: ‎08-10-2015

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Sure, here below both screenshot:

Role.JPG

 

Enforcement.JPG

Gabriel

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Hm. Can you post the access tracker request with the different tabs?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 20
Registered: ‎08-10-2015

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Here all the  screenshots:

 

1summary.JPG

2input.JPG

2input2.JPG

2input3.JPG

3output.JPG

4Alerts.JPG

 

Gabriel

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

[ Edited ]

ClearPass is working as expected. The captive portal role is being returned in the RADIUS response. The problem is on the controller side. Does the Aruba User role match exactly: guestlogin?

 

Thanks,

Zach Jennings
Contributor I
Posts: 20
Registered: ‎08-10-2015

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

[ Edited ]

Hi Zach,

as I'm using instant APs managed by Airwave, I can't find where I can configure that into the group instant config tab.

 

But shouldn't be ClearPass that automatically reject the connection (because the user is expired) and so the client goes on the captive portal? 

 

Thank you.

Gabriel

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Sorry, I made a mistake and edited my post. Can you not configure the guestlogin role in Airwave instant config?

Thanks,

Zach Jennings
Search Airheads
Showing results for 
Search instead for 
Did you mean: