Security

I use ClearPass to authenticate wired network computers (on cisco switch).

I first use 802.1x (with certificate) during 30secondes (tx-period = 10, max-reauth-req = 2), and if it failed I use MAB.

After both 802.1x and MAB authentication I have a post_authentication enforcement that update Endpoint attribut (time_of_authentication, type_of_authentication = MAB or DOT1X).

Sometimes, some devices success in 802.1x just after the change of authentication method on the switch (from 802.1x to MAB). When it's happend, on the ClearPass tracker I can see the MAB authentication success and some seconds later the DOT1X authentication success for the same mac address (same Endpoint).

The problem is that the Endpoint attribute contains the "time_of_authentication" value from the DOT1X authentication (the second authentication), but the "type_of_authentication" contains value for the MAB (the first authentication). I have a mixed between the two post_authentication.

When two authentication process (MAB and DOT1X) for the same Endpoint are very close, how can we forced ClearPass not to mixed Endpoint Attribute update ?

 

I tried to increase the tx-period to avoid having DOT1X and MAB in the same time, but always this problem with very slow computer.

What is the purpose of said attributes?

Endpoint attributes information are exported (via web services) into a
external application used by our Helpdesk.
In fact we use more Attributs that the one described into my message.
That's why it is a problem for us to have a mixed of different
post_authentication Attribute information for the same Endpoint

The first attribut provide the authentication time.

The second attribut describe the type of authentication (MAB, DOT1X, ...)

---

@cappalliwrote:
What is the purpose of said attributes?

---

 

As an example, the follwing picture show the problem.

You can see two authentication event close for the same Endpoint (38c9864a7d16). The first authentication (08:04:30) is MAB and the second one (08:04:38) is DOT1X (NAC-cisco CERTIFICAT).

You can also see the Post_authentication for the two Events and the Endpoint result after the two events:  The "Last Check In= 08:04:38" attribut correpond to the DOT1X authentication (08:04:38), but the "Role = NAC CERT_TO_MAB" attribut correspond to the MAB authentication (08:04:30). The "Role" value should be "NAC Cert ACV"

I would recommend creating two attributes. One for the 802.1X timestamp and one for the MAC Auth timestamp. Last Check In is used with EMM solutions.

The "Last Check In"  value was updated during the Enforcement of the last authentication (802.1x) and its value is coherent with the update time of the Endpoint.

Values that are wrong are attributes:

Role    (predifined attibut)

countCertToMab  (not predifined attribut)

These two attribues keep information of the first authentication (MAB one).

So i don't think the problem is in relation with the "Last Check In" attribute.

Moreover, it is important for us to have the same Attribute name for the different authentication methode. As indicate before, these attribut are sent via WebService to an other software to make some statistic. Having different name, one for each service,  is a problem for us.