Security

 

I would like to ask about this error 206. I already check user account everything is fine. Can someone explain to me what is the root cause of the problem and how to solve the problem.

What type of service is this? 802.1X? MAC-auth?

802.1X auth.

 

We used AD to auth the user.

What is the default profile set to? It looks like it's falling through all your service rules.

We just set as user profile. It's have other profile? or we can check the profile at AD or in Clearpass itself.

If you are able to export the log entry, it may help us with your solution (button on the bottom right of your Access Tracker event).  As Tim stated, you are getting the reject because policy did not match (and the reject profile is likely the default profile action in that case).   Despite passing authentication, the policy engine is going to evaluate the request through the Role Mapping Policy and the Enforcement Policy.   By reviewing those two policies that are applied to your Service, you should be able to track why the user did not "match" anything in those policies and thus was given the reject profile instead.

To do a quick test change your default policy to accept and see if the client connects. If it does then you know there is an error in your policy. 

 

A common issue is that you have in your rules a role or enforcement condition that is EQUALS and most likely it needs to be contains. Especially if it's an ad group membership. 

 

If its Equals then it needs to be the full ad group name

 

If its contains then it can be the simple name.

 

See example below

 

 

 

 

 

hi. Can you provide a bit more info about about the service, role and enforcement policy this user is going down? Is this an 802.1x service? And are you backing off the decision making to Active Directory?

having now scrolled down I can see you've answered some of those! I agree with CONTAINS for group membership. I would also check the AND/OR logic plus the FIRST APPLICABLE/ALL logic as this sometimes leads to unexpected results