Security

last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass - Guest Blacklisting

This thread has been viewed 5 times

  • 1.  Clearpass - Guest Blacklisting

    Posted Mar 21, 2017 12:48 PM

    Was curious as to where the settings are, either in ClearPass or on the controller, that blacklist guests.  Where are the parameters defined?  I created a common guest account for our board members today, and after some failed login attempts, as well as exceeding the unique-device threshold in the service, the common account was blacklisted.  Trying to figure out how CP determines when to blacklist.  Logically it makes sense, but where is the setting?



  • 2.  RE: Clearpass - Guest Blacklisting

    EMPLOYEE
    Posted Mar 21, 2017 12:51 PM
    Are you seeing them in the Blacklisted Users list in ClearPass Policy Manager or are they being blacklisted on the controller?


  • 3.  RE: Clearpass - Guest Blacklisting

    Posted Mar 21, 2017 12:52 PM

    They are on the blacklisted user list in ClearPass.  Controller blacklist is empty.



  • 4.  RE: Clearpass - Guest Blacklisting

    EMPLOYEE
    Posted Mar 21, 2017 01:32 PM

    We do not automatically blacklist guest users on authentication attempts. Please check your captive portal authentication service to see if you're setting any other session enforcements like bandwidth usage.



  • 5.  RE: Clearpass - Guest Blacklisting

    Posted Mar 21, 2017 01:53 PM

    I must politely disagree.  The Bandwidth Limit and Session Duration fields were empty on the blacklisted user list. In addition, there was a blacklisted guest user ID that was my test account from yesterday that I used for about 30 seconds.  There is a 5mb bandwidth contract applied to the captive portal authenticated role, but I was nowhere near that amount of throughput.

    Going back to 2014, I found this thread on Airheads with people that had the same issue, but it was never addressed.

     
    http://community.arubanetworks.com/t5/Security/ClearPass-blacklist-guest-users/td-p/217971



  • 6.  RE: Clearpass - Guest Blacklisting

    EMPLOYEE
    Posted Mar 21, 2017 02:00 PM

    Please post your captive portal service enforcement policy and the related enforcement profiles.



  • 7.  RE: Clearpass - Guest Blacklisting

    Posted Mar 21, 2017 02:29 PM

    Enforcement Policy:

    enforcment policy.JPG

    (The unique device count was originally at 5...changed it to 20 during troubleshooting to accommodate an entire board of directors using the same guest account, thinking this is what stopped them from authenticating and subsequently getting blacklisted)

     

     

    Enforcement profiles:

     

    Guest Session Timeout

    Guest Session Timeout.JPG

     

    Guest Bandwidth Limit

    Guest Bandwidth Limit.JPG

     

    Guest Session Limit

    Guest Session Limit.JPG

     

    Guest MAC Caching

    Guest MAC Caching.JPG

     

    Guest Do Expire

    Guest Do Expire.JPG

     

    Guest Expire Post Login

    Guest Expire Post Login.JPG

     

     

     

     

     



  • 8.  RE: Clearpass - Guest Blacklisting

    EMPLOYEE
    Posted Mar 21, 2017 02:31 PM

    Do you have any session limits configured on the guest side?



  • 9.  RE: Clearpass - Guest Blacklisting

    Posted Mar 21, 2017 02:35 PM

    Left it blank.....does a "0" have to go in there??

    session count.JPG



  • 10.  RE: Clearpass - Guest Blacklisting

    Posted Mar 21, 2017 02:39 PM

    5 users were able to get on okay...the 6th and beyond got denied. At the time that correlated to the Unique Device Count defined in the Service (which was why I changed it from 5 to 20).  So I'm not sure if it's unique device count or # of sessions.  At any rate, when does blacklisting take place?  



  • 11.  RE: Clearpass - Guest Blacklisting

    EMPLOYEE
    Posted Mar 21, 2017 02:39 PM
    Hm. OK. Please open a TAC case so they can troubleshoot in real-time.


  • 12.  RE: Clearpass - Guest Blacklisting

    Posted Mar 21, 2017 02:40 PM

    Will do.  Thank you kindly for your help.