07-16-2014 10:52 AM
I'm having a problem with Clearpass and certain computers.
Some computers fail authentication. If I check the "Alert" tab, it says:
Policy Server: Failed to get value for attributes=[Device Name]
When I check Input - Authorization Attributes"
it only shows a few attributes: Account Expires, memberOf, and UserDN.
It does not show the 'device name' attribute.
However, some computers authenticate just fine. Under the Input - Authorization Attributes" section, those show several more attributes, including Device name.
Why would Clearpass get more attributes from some computers and not others?
I've checked AD replication, and it's fine. I've checked to see if security settings are different between successful and non-successful laptops, and they look identical.
Is this a Clearpass or an AD issue?
07-16-2014 11:09 AM
The device name likely comes from the profiling; not AD. For those devices that fail, are they "profiled" in the endpoint database? Do you have a role mapping or enforcement policy that is dependent on that attribute?
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
07-16-2014 01:58 PM
Thanks for the reply.
This issue seems to have had something to do with the username. The account was good, not locked out, or disabled.
But I created a new user with the exact same group memberships and permissions, and was able to connect that way.
One of those things to try to figure out at some to-be-determined time in the future.
Thanks again for your help.
07-17-2014 04:56 AM
Curious - was the device name an attribute passed back from AD in your case?
You can go into the AD authentication source and see how Clearpass queried for the device name attribute if it exists in your source.
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
07-17-2014 07:07 AM
Thanks for showing me how to check the AD authentication parameters.
Device Name is not listed there on my CPPM.
I believe that I incorrectly interpreted the data. I thought that the error message of being unable to get the device name was present every time there was a problem. But I've found a few instances where the same error appeared, and the machine authenticated just fine.
So apparently, it has nothing to do with the problem I was having.
I'm still not 100% sure what my problem was, but creating a new user seems to have cleared it up, at least for that workstation.
I've got an eye on it.
07-17-2014 04:13 PM