Security

Reply
Contributor I
Posts: 29
Registered: ‎05-09-2013

MAC User ID Account created at the Guest page expired still able to connect to the Netwrok

[ Edited ]

Hi I'm doing a test for MAB in which the source of Authorization is the Guest operator registration page.

 

I  key-in mac-address  PC in Guest registration page. I noticed when the account expired:

- tried by manually for the account to expire (at guest operator page, change expiration of the guest device to -> now)

- tried by set the expiration account to -> 1 hour later.

 

And tried both above and the device still able to connect using MAB by clearpass, even tough the account already expired.  Is there any additional setting  needed to set to reject the connection

After the account expired?

Aruba
Posts: 349
Registered: ‎04-14-2009

Re: MAC User ID Account created at the Guest page expired still able to connect to the Netwrok

Is the user still authenticated on the controller?  The "aaa user delete" command is useful for making sure that the account is not still authenticated to the controller.

 

If the account is not authenticated on the controller, then Access Tracker is useful for figuring out what service is authenticating it.

 

 

Contributor I
Posts: 29
Registered: ‎05-09-2013

Re: MAC User ID Account created at the Guest page expired still able to connect to the Netwrok

Hi dancomfort, thanks for the reply

 

I am doing MAB test for wired network. and the authorizaiton source is Guest Device repository.

The PC MAC was created in the Clearpass Guest portal to allow the PC to access the LAN network. When manually set the account to expire but the clearpass still allow the PC to connect to the network.

 

Thanks 

Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: MAC User ID Account created at the Guest page expired still able to connect to the Netwrok

Can you post screen shots of the the service, roles and enforcement you are using? From the information you posted it's hard to figure out where the break is.

You say your using guest as an authorization but how are you using it. If its just an authorization with no triggers then we are just looking to see if there is the user in the guest database.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I
Posts: 29
Registered: ‎05-09-2013

Re: MAC User ID Account created at the Guest page expired still able to connect to the Netwrok

Hi Troy, Thank you for response.

 

Sorry for late reply.

Service: Mac authentication Bypass

Authentication Method: [Allow All MAC AUTH]

Authentication Source: [Guest Device Repository][Local SQL DB]

 

Authorization Source : [Guest Device Repository][Local SQL DB]

Attributes Fetched From:[Guest Device Repository][Local SQL DB]

 

Role maping:

(GuestUser: [Role ID] EQUALS 1)                     [Contractor]   

 

Enforcement

(TIPS: Role EQUALS [Contractor])AND(Tips:Posture EQUALS HEALTHY(0))                    Downloadable ACL Access

 

Guest Portal page to create device (Please see attached Untitled.jpg)


In the CPPM> Identity > Guest user . the account is already expired but still able to connect to ping the ACL defined in the enforcement profiles.

 

Thanks and regards

 

 

Contributor I
Posts: 29
Registered: ‎05-09-2013

Re: MAC User ID Account created at the Guest page expired still able to connect to the Netwrok

Changing the Authentication Method: "Mac Auth" solve the issue. Mac Auth by default  will deny " unknown" device and look the information at Authontication source.

Search Airheads
Showing results for 
Search instead for 
Did you mean: