Security

I am working on getting Clearpass Guest with MAC caching working.  I am using Aruba Instant AP. 

I've got the MAC caching working, but when the user's account is supposed to expire, they are still able to get on via mac cache.

In access tracker on the alerts tab, I see the following message:

Failed to get value for attributes=[AccountEnabled, AccountExpired]

The strange thing is that when the user is within their expiration time, those attributes are getting passed in the authorization attributes for that same service.

On another side note, in the "active sessions" within Clearpass Guest, it is showing the MAC address instead of their user ID.  I would like it to show their user ID.  It is also showing "0 bytes" on session uploads/downloads.

Please post screenshots of the access tracker request and the role mapping and enforcement policies from your MAC authentication service.

Make sure you have Guest User Repository as an additional authorization source on the authorization tab.

Also, just a tip (has nothing to do with your issue). [Brackets] are reserved for built-in profiles. It's not recommended to use them in custom profile names. 

From the screenshots, you can see that the user gets just the roles [Guest] and [User Authenticated]. The mac caching role does not kick in, which is correct as the MAC-Auth Expiry (2017-08-19 17:00:00) is before the Now DT (2017-08-21 15:00:00); according to rule 1 in the role mapping.

Then, if you look in the Enforcement Profile, you can see that the first rule is 'always true' for MAC Authentication (Authentication:Username EQUALS %{Radius:IETF-User-Name}). So that rule matches, and provides access to the guest, regardless of MAC Caching status which is only evaluated in rule 2.

So you have the wrong Enforcement Profile selected, or the access is matching the wrong service. In my ClearPass the enforcement profile looks like something:

I don't know how you got to your enforcement policy, but that is where the issue seems to be.

I posted some videos on how I setup my ClearPass in this Workshop video series. If you watch the Guest section (5 videos), much is covered, and it may help you setting up ClearPass Guest with MAC Caching.

Herman, thanks for the information.  I will check out your videos.  What's strange is that if the client has not expired yet, they will hit the exact same service but they are able to retrieve the "account enable" and "account expired" attibutes in the enforcement policy.

When the account expires, they do not get those attributes.

It think it may have something to do with my role mapping???

Difficult to guest from this standpoint, but what it looks like is that the last screenshot is a username/password authentication [against the Guest User Database] where the first was a MAC authentication [against the Endpoint Repository] . If they match on the same service, you likely have made a small mistake in your service order or matching rules. While you can configure the User Authentication and MAC caching/authentication in a single service; that is not how it is done in most cases. In the video you will see it is implemented in different services.

I understand it may be confusing sometimes, but when following the service selection, role-mapping and enforcement policy properly, you should get an answer to everything what ClearPass does. Not having the Guest User repository attributes, indicates that that service was not used (or the attributes were not tested in a role-mapping or enforcement). Which is true for MAC authentication.

Tim - here is my authorization tab on the MAC cache service:

Please open a TAC case.