Security

Reply
Occasional Contributor II
Posts: 16
Registered: ‎11-29-2012

ClearPass mac auth over oracle database

[ Edited ]

Hello,

I'm trying to configure ClearPass with mac auth over oracle db.

ClearPass get a vlan from oracleserver and sends it to the switch.

It works if the MAC address exists in the database (CP says ACCEPTED and the switch get this vlan)

But when the MAC address does not exists CP says anyway ACCEPTED.

Does anyone have an idea how to reject unknown MACs?

Services.png

Sources.png

Profiles.png

Policies.png

Access_Tracker.png

Guru Elite
Posts: 20,410
Registered: ‎03-29-2007

Re: ClearPass mac auth over oracle database

If you have a mac authentication method, you need to make sure "Allow unknown End-Hosts" is unchecked.

 

mac-auth.JPG



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎11-29-2012

Re: ClearPass mac auth over oracle database

[ Edited ]

Thank you for response, but it is not helped

 

I use [Allow All MAC AUTH] where "Allow unknown End-Hosts" default enabled.

By using [MAC AUTH] instead, I get an authentication failure (Error Code 216) even from the client which MAC is already existing in the oracle database

 

2015-07-23 06:51:50,613 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 148:98:00085d21e137
2015-07-23 06:51:50,621 	[RequestHandler-1-0x7fc88c9e4700 r=psauto-1420542151-42596 h=223 r=R00002253-01-55b072e6] INFO Core.ServiceReqHandler - Service classification result = Wired_MAC_Authentication
2015-07-23 06:51:50,623 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "Wired_MAC_Authentication"
2015-07-23 06:51:50,623 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] INFO RadiusServer.Radius - rlm_sql: searching for user 00085D21E137 in Sql:oracleserver
2015-07-23 06:51:50,637 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] ERROR RadiusServer.Radius - rlm_sql (authsrc_3003): Error getting data from database
2015-07-23 06:51:50,637 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] ERROR RadiusServer.Radius - rlm_sql (authsrc_3003): SQL query error; rejecting user
2015-07-23 06:51:50,637 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] INFO RadiusServer.Radius - rlm_macauth: Rejecting MAC auth request from Unknown/Disabled client
2015-07-23 06:51:50,637 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.

 

PS: I forgot to mention that Policy Manager version is 6.3.6

Guru Elite
Posts: 8,036
Registered: ‎09-08-2010

Re: ClearPass mac auth over oracle database

What format are the MAC addresses stored in your database?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 16
Registered: ‎11-29-2012

Re: ClearPass mac auth over oracle database

[ Edited ]

Hi Tim,

 

AB CD EF 12 34 56 and in Authentication/Sources/Oracle I use a Filter to convert it to

AB:CD:EF:12:34:56 that corresponds to Connection:Client-Mac-Address-Colon (shown in Sources.png above)

 

This works quite well- I get a proper vlan to MAC if the MAC address exists in the database and will be ACCEPTED.

The issue is when the MAC does not exist in the database I get ACCEPTED anyway (Access_Tracker.png)

Search Airheads
Showing results for 
Search instead for 
Did you mean: