Security

Reply
MVP
Posts: 1,405
Registered: ‎11-30-2011

ClearPass unauthenticated users enforcement

i'm looking at a scenario where i want to do something (assign a VLAN) to users which don't show up in any of the authentication sources. is there anything special i have to do to make this happen?

 

i would assume that just having an enforcement profile that does this as the default should be enough. or is the fact that the authentication lookup part fails the cause this doesn't work?

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: ClearPass unauthenticated users enforcement

Instead of using the default enforcement profile of "deny access profile," just create a new one. Use that enforcement profile as the default to put them on an "all else fails" vlan. In my example below, I created a Profile called "Guest_VLAN." If a user fails auth, they get this vlan.

 

cp_enf_def_profile.JPG

Thanks,

Zach Jennings
MVP
Posts: 1,405
Registered: ‎11-30-2011

Re: ClearPass unauthenticated users enforcement

that is pretty much what i did, and I did get the enforcement profile I expected to see at the Access Tracker > Request Details > Summary when checking with a random none existing user.

 

but it does show the line as REJECT in the Access Tracker and there are warnings about the user not existing in the checked authentication sources (which makes sense of course). when looking at the 802.1x authenticator device i see it gets an Access-Reject message.

 

what could cause this if it should work in principle?

MVP
Posts: 1,405
Registered: ‎11-30-2011

Re: ClearPass unauthenticated users enforcement

ok riddle me this, created the most basic wired service, need an authentication source so used the local db and gave it a default access allow enforcement profile.  but still the request ends up at the access tracker as REJECT and i guess therfor a Access-Reject is send to the 802.1x authenticator, making access impossible.

 

Access Tracker shows correct enforcement profile

Enforcement Profiles:[Allow Access Profile]

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: ClearPass unauthenticated users enforcement


boneyard wrote:

ok riddle me this, created the most basic wired service, need an authentication source so used the local db and gave it a default access allow enforcement profile.  but still the request ends up at the access tracker as REJECT and i guess therfor a Access-Reject is send to the 802.1x authenticator, making access impossible.

 

Access Tracker shows correct enforcement profile

Enforcement Profiles:[Allow Access Profile]


Right, if you set the default to Allow Access Profile, it will use that profile if it fails. So, you always want some sort of deny or guest as the default.

 

As far as why it didn't work, I'd have to see the full output. Can you post the logs from the failed access request? You can get these by clicking the "Export" button in Access Tracker after clicking on the failed attempt.

Thanks,

Zach Jennings
Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: ClearPass unauthenticated users enforcement


boneyard wrote:

that is pretty much what i did, and I did get the enforcement profile I expected to see at the Access Tracker > Request Details > Summary when checking with a random none existing user.

 

but it does show the line as REJECT in the Access Tracker and there are warnings about the user not existing in the checked authentication sources (which makes sense of course). when looking at the 802.1x authenticator device i see it gets an Access-Reject message.

 

what could cause this if it should work in principle?


For your Guest_VLAN, is the profile action set to Accept or Reject?

 

cp_enf_guest_vlan_accept.JPG

 

Thanks,

Zach Jennings
MVP
Posts: 1,405
Registered: ‎11-30-2011

Re: ClearPass unauthenticated users enforcement

Guest_vlan profile is set to Accept.

 

as for the log, here it is:

 

Request log details for session: R000000af-01-4f9aa391
Time    Message
2012-04-27 15:48:01,006         [Th 3 Req 952 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization
2012-04-27 15:48:01,010         [RequestHandler-1-0x44078940 r=auto-380 h=47 r=R000000af-01-4f9aa391] INFO Core.ServiceReqHandler - Service classification result = Copy_of_wired-802.1x-test
2012-04-27 15:48:01,011         [Th 3 Req 952 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "Copy_of_wired-802.1x-test"
2012-04-27 15:48:01,012         [Th 3 Req 952 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
2012-04-27 15:48:01,015         [Th 3 Req 952 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_eap_peap: Initiate
2012-04-27 15:48:01,025         [Th 4 Req 953 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
2012-04-27 15:48:01,025         [Th 4 Req 953 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
2012-04-27 15:48:01,032         [Th 4 Req 953 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate A
2012-04-27 15:48:01,043         [Th 5 Req 954 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
2012-04-27 15:48:01,043         [Th 5 Req 954 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
2012-04-27 15:48:01,057         [Th 1 Req 955 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
2012-04-27 15:48:01,057         [Th 1 Req 955 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
2012-04-27 15:48:01,059         [Th 1 Req 955 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_eap_peap: Session established.
2012-04-27 15:48:01,067         [Th 2 Req 956 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
2012-04-27 15:48:01,067         [Th 2 Req 956 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
2012-04-27 15:48:01,070         [Th 2 Req 956 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
2012-04-27 15:48:01,073         [Th 2 Req 956 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_eap_mschapv2: Issuing Challenge
2012-04-27 15:48:01,084         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
2012-04-27 15:48:01,084         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
2012-04-27 15:48:01,087         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
2012-04-27 15:48:01,087         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
2012-04-27 15:48:01,088         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_eap_mschapv2: Received MSCHAPv2 Response from client
2012-04-27 15:48:01,088         [Th 3 Req 957 SessId R000000af-01-4f9aa391] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
2012-04-27 15:48:01,088         [Th 3 Req 957 SessId R000000af-01-4f9aa391] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
2012-04-27 15:48:01,088         [Th 3 Req 957 SessId R000000af-01-4f9aa391] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
2012-04-27 15:48:01,088         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] WARN Common.AuthenticationStatus - populateAuthStatus: Unknown Authentication Status=Failed
2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr 0019b966c8e2
2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3002 entity id = 29
2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3002
2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3002|entityId=29
2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3002|entity=Device
2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
2012-04-27 15:48:01,093         [RequestHandler-1-0x44078940 h=2767 c=R000000af-01-4f9aa391] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
2012-04-27 15:48:01,094         [RequestHandler-1-0x44078940 h=2769 c=R000000af-01-4f9aa391] INFO Core.PETaskRoleMapping - Roles: Guest]
2012-04-27 15:48:01,096         [RequestHandler-1-0x44078940 r=R000000af-01-4f9aa391 h=2771 c=R000000af-01-4f9aa391] INFO Core.PolicyResCollector - updateSpt: SPT set to: QUARANTINE force=1
2012-04-27 15:48:01,096         [RequestHandler-1-0x44078940 r=R000000af-01-4f9aa391 h=2771 c=R000000af-01-4f9aa391] INFO Core.PETaskPolicyResult - Update internal roleIds=:
2012-04-27 15:48:01,096         [RequestHandler-1-0x44078940 r=R000000af-01-4f9aa391 h=2771 c=R000000af-01-4f9aa391] INFO Core.PETaskPolicyResult - Update external roles=:
2012-04-27 15:48:01,097         [RequestHandler-1-0x44078940 h=2772 c=R000000af-01-4f9aa391] INFO Core.PETaskEnforcement - EnfProfiles: enforcement-prof-vlan-wired-vlan20-basic
2012-04-27 15:48:01,097         [RequestHandler-1-0x44078940 h=2773 c=R000000af-01-4f9aa391] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
2012-04-27 15:48:01,097         [RequestHandler-1-0x44078940 h=2773 c=R000000af-01-4f9aa391] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: enforcement-prof-vlan-wired-vlan20-basic
2012-04-27 15:48:01,098         [RequestHandler-1-0x44078940 h=2773 c=R000000af-01-4f9aa391] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
2012-04-27 15:48:01,098         [RequestHandler-1-0x44078940 h=2775 c=R000000af-01-4f9aa391] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
2012-04-27 15:48:01,100         [RequestHandler-1-0x44078940 h=2777 c=R000000af-01-4f9aa391] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
2012-04-27 15:48:01,101         [RequestHandler-1-0x44078940 h=2777 c=R000000af-01-4f9aa391] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2012-04-27 15:48:01,101         [RequestHandler-1-0x44078940 h=2776 c=R000000af-01-4f9aa391] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2012-04-27 15:48:01,101         [RequestHandler-1-0x44078940 r=R000000af-01-4f9aa391 h=2767 c=R000000af-01-4f9aa391] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***
2012-04-27 15:48:01,104         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
2012-04-27 15:48:01,104         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
2012-04-27 15:48:01,113         [Th 4 Req 958 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
2012-04-27 15:48:01,113         [Th 4 Req 958 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
2012-04-27 15:48:01,117         [Th 4 Req 958 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_policy: Bypassing Policy Evaluation.

access tracker lists the request as REJECT with this alert

 

Error Code:      216
Error Category: Authentication failure
Error Message:     User authentication failed
 Alerts for this Request  
RADIUS     tdc-01 - tdc-01.test.loc: User not found.
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

MVP
Posts: 1,405
Registered: ‎11-30-2011

Re: ClearPass unauthenticated users enforcement

just had aruba support confirm this is not possible, failed authentication means an Access-Reject is send so no further possibility to get in another VLAN or such from ClearPass side.

Search Airheads
Showing results for 
Search instead for 
Did you mean: