02-07-2014 04:27 PM
If a user tries to authenticate to clearpass -> Active Directory, and is using the wrong username, or bad password, is the users automatically rejected because they failed auth or are they given the default user role for the profile? I see the default Radius:Aruba:Aruba-User-Role in the Output> Radius Response in the logs, and was a bit confused. I would think it would not receive any user-role, or a Reject one by default.
Solved! Go to Solution.
02-07-2014 04:46 PM
It depends of what do you have defined as your default Enforcemet profile (Action) under the Enforcement Policy (Decision)
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
02-08-2014 07:51 AM
The enforcement policy is for authorization ONLY. Authentication has to succeed first before the enforcement policy is being evaluated.
Bottom-line: if you enter an incorrect username and/or password you will always be rejected.
ACMX#255 | ACMP | ACCP | AWMP
02-18-2014 02:11 PM
Thanks for the clarification, the problem I was having was that users with clearly bad usernames were showing up on my network. The issue turned out to be not about authentication vs authorization but instead about inner and outer Identities, Androids have the builtin settings to auth with one set of credentials but make visible in the logs a different set. Here is a post with same issue: