Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

How does clearapss generate the Connection:Client-Mac-Address attribute?

This thread has been viewed 4 times

  • 1.  How does clearapss generate the Connection:Client-Mac-Address attribute?

    Posted Nov 27, 2014 09:57 AM

    Hi,

    Might have answerd my own question but how does clearpass generate the Connection:Client-Mac-Address-[something] set of attributes?I'm guessing that its the IETF calling-station-id.

    I'm looking at an HP 5130 switch authenticating to our clearpass server and I get an alert that says

    erFailed to construct filter=SELECT mac_vendor, hostname,(case when static_ip is false then 'false' else 'true' end) as static_ip, device_category, device_family, device_name, other_category, other_family, other_name, (case when conflict is false then 'false' else 'true' end) as conflict FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}').
    Failed to get value for attributes=[Device Name, OS Family]

     

    Looking at the generated attributes I dont have any Connection:Client-Mac-Address entries gemerated for this switch. What I do have hoever is. Note the called/calling station ids are the same!

     

    Radius:IETF:Called-Station-Id406c-8f58-fd89
    Radius:IETF:Calling-Station-Id406c-8f58-fd89
    Radius:IETF:Framed-MTU1450
    Radius:IETF:NAS-Identifierxb1sw9
    Radius:IETF:NAS-IP-Address10.4.4.107
    Radius:IETF:NAS-Port67125155
    Radius:IETF:NAS-Port-Idslot=4;subslot=0;port=3;vlanid=4003
    Radius:IETF:NAS-Port-Type15
    Radius:IETF:Service-Type2
    Radius:IETF:User-Nameas1558@york.ac.uk


  • 2.  RE: How does clearapss generate the Connection:Client-Mac-Address attribute?

    EMPLOYEE
    Posted Nov 30, 2014 04:00 AM

    The error you are seeing is based the SQL query looking for (Failed to get value for attributes=[Device Name, OS Family])

     

    CPPM is looking in the database to see if the device authenticating has those two attributes. In some case you will need to create a new filter to ignore those fields or ignore the errors. (in my lab I have the same service for guest and device auth. On some of my device they auth and do not have all the attributes that the guest devices are looking for, so I will get an error but the auth will still be successful.

     

    Its all based on what you look for in the authorization and how your authz source is built.