Security

Reply
Super Contributor I
Posts: 289
Registered: ‎02-07-2013

How does clearapss generate the Connection:Client-Mac-Address attribute?

Hi,

Might have answerd my own question but how does clearpass generate the Connection:Client-Mac-Address-[something] set of attributes?I'm guessing that its the IETF calling-station-id.

I'm looking at an HP 5130 switch authenticating to our clearpass server and I get an alert that says

erFailed to construct filter=SELECT mac_vendor, hostname,(case when static_ip is false then 'false' else 'true' end) as static_ip, device_category, device_family, device_name, other_category, other_family, other_name, (case when conflict is false then 'false' else 'true' end) as conflict FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}').
Failed to get value for attributes=[Device Name, OS Family]

 

Looking at the generated attributes I dont have any Connection:Client-Mac-Address entries gemerated for this switch. What I do have hoever is. Note the called/calling station ids are the same!

 

Radius:IETF:Called-Station-Id406c-8f58-fd89
Radius:IETF:Calling-Station-Id406c-8f58-fd89
Radius:IETF:Framed-MTU1450
Radius:IETF:NAS-Identifierxb1sw9
Radius:IETF:NAS-IP-Address10.4.4.107
Radius:IETF:NAS-Port67125155
Radius:IETF:NAS-Port-Idslot=4;subslot=0;port=3;vlanid=4003
Radius:IETF:NAS-Port-Type15
Radius:IETF:Service-Type2
Radius:IETF:User-Nameas1558@york.ac.uk
Aruba
Posts: 1,520
Registered: ‎06-12-2012

Re: How does clearapss generate the Connection:Client-Mac-Address attribute?

The error you are seeing is based the SQL query looking for (Failed to get value for attributes=[Device Name, OS Family])

 

CPPM is looking in the database to see if the device authenticating has those two attributes. In some case you will need to create a new filter to ignore those fields or ignore the errors. (in my lab I have the same service for guest and device auth. On some of my device they auth and do not have all the attributes that the guest devices are looking for, so I will get an error but the auth will still be successful.

 

Its all based on what you look for in the authorization and how your authz source is built.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: