Security

Reply
Occasional Contributor II

Clearpass Guest w/MAC caching - Guests can still login after account is expired

I am working on getting Clearpass Guest with MAC caching working.  I am using Aruba Instant AP. 

 

I've got the MAC caching working, but when the user's account is supposed to expire, they are still able to get on via mac cache.

 

In access tracker on the alerts tab, I see the following message:

Failed to get value for attributes=[AccountEnabled, AccountExpired]

 

The strange thing is that when the user is within their expiration time, those attributes are getting passed in the authorization attributes for that same service.

 

On another side note, in the "active sessions" within Clearpass Guest, it is showing the MAC address instead of their user ID.  I would like it to show their user ID.  It is also showing "0 bytes" on session uploads/downloads.

Guru Elite

Re: Clearpass Guest w/MAC caching - Guests can still login after account is expired

Please post screenshots of the access tracker request and the role mapping and enforcement policies from your MAC authentication service.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass Guest w/MAC caching - Guests can still login after account is expired

access-tracker-1.jpgaccess-tracker-2.jpgaccess-tracker-3.jpgaccess-tracker-4.pngaccess-tracker-5.png.jpgaccess-tracker-6.jpgaccess-tracker-7.jpgenforcement-policy.jpgenforcement-profile.jpgrole-mapping.jpg

Guru Elite

Re: Clearpass Guest w/MAC caching - Guests can still login after account is expired

Make sure you have Guest User Repository as an additional authorization source on the authorization tab.

 

Also, just a tip (has nothing to do with your issue). [Brackets] are reserved for built-in profiles. It's not recommended to use them in custom profile names. 

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass Guest w/MAC caching - Guests can still login after account is expired

auth-source.jpg

Tim - here is my authorization tab on the MAC cache service:

 

 

 

Guru Elite

Re: Clearpass Guest w/MAC caching - Guests can still login after account is expired

Please open a TAC case.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Clearpass Guest w/MAC caching - Guests can still login after account is expired

From the screenshots, you can see that the user gets just the roles [Guest] and [User Authenticated]. The mac caching role does not kick in, which is correct as the MAC-Auth Expiry (2017-08-19 17:00:00) is before the Now DT (2017-08-21 15:00:00); according to rule 1 in the role mapping.

 

Then, if you look in the Enforcement Profile, you can see that the first rule is 'always true' for MAC Authentication (Authentication:Username EQUALS %{Radius:IETF-User-Name}). So that rule matches, and provides access to the guest, regardless of MAC Caching status which is only evaluated in rule 2.

 

So you have the wrong Enforcement Profile selected, or the access is matching the wrong service. In my ClearPass the enforcement profile looks like something:

2017-08-22 08_32_47-ClearPass Policy Manager - Aruba Networks.png

I don't know how you got to your enforcement policy, but that is where the issue seems to be.

 

I posted some videos on how I setup my ClearPass in this Workshop video series. If you watch the Guest section (5 videos), much is covered, and it may help you setting up ClearPass Guest with MAC Caching.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: Clearpass Guest w/MAC caching - Guests can still login after account is expired

Herman, thanks for the information.  I will check out your videos.  What's strange is that if the client has not expired yet, they will hit the exact same service but they are able to retrieve the "account enable" and "account expired" attibutes in the enforcement policy.

Capture.JPG

When the account expires, they do not get those attributes.

 

It think it may have something to do with my role mapping???

Capture2.JPG

Re: Clearpass Guest w/MAC caching - Guests can still login after account is expired

Difficult to guest from this standpoint, but what it looks like is that the last screenshot is a username/password authentication [against the Guest User Database] where the first was a MAC authentication [against the Endpoint Repository] . If they match on the same service, you likely have made a small mistake in your service order or matching rules. While you can configure the User Authentication and MAC caching/authentication in a single service; that is not how it is done in most cases. In the video you will see it is implemented in different services.

 

I understand it may be confusing sometimes, but when following the service selection, role-mapping and enforcement policy properly, you should get an answer to everything what ClearPass does. Not having the Guest User repository attributes, indicates that that service was not used (or the attributes were not tested in a role-mapping or enforcement). Which is true for MAC authentication.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: