07-08-2013 08:57 PM - edited 07-09-2013 12:41 AM
Hi I'm doing a test for MAB in which the source of Authorization is the Guest operator registration page.
I key-in mac-address PC in Guest registration page. I noticed when the account expired:
- tried by manually for the account to expire (at guest operator page, change expiration of the guest device to -> now)
- tried by set the expiration account to -> 1 hour later.
And tried both above and the device still able to connect using MAB by clearpass, even tough the account already expired. Is there any additional setting needed to set to reject the connection
After the account expired?
Solved! Go to Solution.
07-08-2013 09:29 PM
Is the user still authenticated on the controller? The "aaa user delete" command is useful for making sure that the account is not still authenticated to the controller.
If the account is not authenticated on the controller, then Access Tracker is useful for figuring out what service is authenticating it.
07-09-2013 12:53 AM
Hi dancomfort, thanks for the reply
I am doing MAB test for wired network. and the authorizaiton source is Guest Device repository.
The PC MAC was created in the Clearpass Guest portal to allow the PC to access the LAN network. When manually set the account to expire but the clearpass still allow the PC to connect to the network.
07-09-2013 01:14 AM
You say your using guest as an authorization but how are you using it. If its just an authorization with no triggers then we are just looking to see if there is the user in the guest database.
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
07-09-2013 08:49 AM
Hi Troy, Thank you for response.
Sorry for late reply.
Service: Mac authentication Bypass
Authentication Method: [Allow All MAC AUTH]
Authentication Source: [Guest Device Repository][Local SQL DB]
Authorization Source : [Guest Device Repository][Local SQL DB]
Attributes Fetched From:[Guest Device Repository][Local SQL DB]
(GuestUser: [Role ID] EQUALS 1) [Contractor]
(TIPS: Role EQUALS [Contractor])AND(Tips:Posture EQUALS HEALTHY(0)) Downloadable ACL Access
Guest Portal page to create device (Please see attached Untitled.jpg)
In the CPPM> Identity > Guest user . the account is already expired but still able to connect to ping the ACL defined in the enforcement profiles.
Thanks and regards
07-10-2013 05:27 AM
Changing the Authentication Method: "Mac Auth" solve the issue. Mac Auth by default will deny " unknown" device and look the information at Authontication source.