Security

Reply
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Failed to get value for attributes=[Device Name]

Hi:

I'm having a problem with Clearpass and certain computers.

Some computers fail authentication. If I check the "Alert" tab, it says:

Policy Server: Failed to get value for attributes=[Device Name]

 

When I check Input - Authorization Attributes"

it only shows a few attributes: Account Expires, memberOf, and UserDN.

It does not show the 'device name' attribute.

 

However, some computers authenticate just fine. Under the  Input - Authorization Attributes" section, those show several more attributes, including Device name.

 

Why would Clearpass get more attributes from some computers and not others?

 

I've checked AD replication, and it's fine. I've checked to see if security settings are different between successful and non-successful laptops, and they look identical.

 

Is this a Clearpass or an AD issue?

 

Thanks,

Tony

 

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Failed to get value for attributes=[Device Name]

The device name likely comes from the profiling; not AD.  For those devices that fail, are they "profiled" in the endpoint database?   Do you have a role mapping or enforcement policy that is dependent on that attribute?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Failed to get value for attributes=[Device Name]

Hi:

Thanks for the reply.

This issue seems to have had something to do with the username. The account was good, not locked out, or disabled.

But I created a new user with the exact same group memberships and permissions, and was able to connect that way.

 

One of those things to try to figure out at some to-be-determined time in the future.

 

Thanks again for your help.

Tony

 

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Failed to get value for attributes=[Device Name]

Curious - was the device name an attribute passed back from AD in your case?  

 

You can go into the AD authentication source and see how Clearpass queried for the device name attribute if it exists in your source.

 

Screenshot 2014-07-17 07.56.13.png

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Failed to get value for attributes=[Device Name]

Hi Seth:

Thanks for showing me how to check the AD authentication parameters.

Device Name is not listed there on my CPPM.

 

I believe that I incorrectly interpreted the data. I thought that the error message of being unable to get the device name was present every time there was a problem. But I've found a few instances where the same error appeared, and the machine authenticated just fine.

So apparently, it has nothing to do with the problem I was having.

 

I'm still not 100% sure what my problem was, but creating a new user seems to have cleared it up, at least for that workstation.

 

I've got an eye on it.

 

Thanks,

Tony

 

 

 

Guru Elite
Posts: 7,864
Registered: ‎09-08-2010

Re: Failed to get value for attributes=[Device Name]

Are you using Endpoint:Device Name or is it a different attribute from another source?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: