Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MAC caching - failed to get value for attributes

This thread has been viewed 32 times

  • 1.  MAC caching - failed to get value for attributes

    Posted Sep 05, 2017 09:12 AM

    I'm trying to setup guest login with MAC caching using the template, but I keep getting following error in access tracker.

    Policy serverFailed to get value for attributes=[AccountEnabled, AccountExpired]

     When I delete the check for AccountEnabled and AccountExpired, it works fine and the MAC gets cached.

    Insight is enabled.

     

    The endpoint is known and in the endpoint repo, the Authorization contains Endpoint repo, time source and Guest user repo.

    All is done via the template, so I don't know where to start.
    We are using 1 user for about 200-300 devices,  but that is working fine.


  • 2.  RE: MAC caching - failed to get value for attributes

    EMPLOYEE
    Posted Sep 05, 2017 09:15 AM
    Is [Guest User Repository] set up as an additional authorization source?


  • 3.  RE: MAC caching - failed to get value for attributes

    Posted Sep 05, 2017 09:17 AM

    Yes



  • 4.  RE: MAC caching - failed to get value for attributes

    EMPLOYEE
    Posted Sep 05, 2017 09:24 AM

    Please share a screenshot of the access tracker request and also your service configuration.



  • 5.  RE: MAC caching - failed to get value for attributes

    Posted Sep 05, 2017 09:44 AM

    Output from access tracker:

     

    Username:

    28b2bdb2a093

    End-Host Identifier:

    28B2BDB2A093

    (Computer / Windows / Windows)

    Access Device IP/Port:

    192.168.58.34:0

    (wanaka.genk.be / Aruba)

     

    RADIUS Request

    Radius:Aruba:Aruba-AP-Group

    apgrp_thorpark

    Radius:Aruba:Aruba-Essid-Name

    Thor Central

    Radius:Aruba:Aruba-Location-Id

    c8:b5:ad:c4:10:a6

    Radius:IETF:Called-Station-Id

    000B86B7F4F7

    Radius:IETF:Calling-Station-Id

    28B2BDB2A093

    Radius:IETF:NAS-IP-Address

    192.168.58.34

    Radius:IETF:NAS-Port

    0

    Radius:IETF:NAS-Port-Type

    19

    Radius:IETF:Service-Type

    10

    Radius:IETF:User-Name

    28b2bdb2a093

     

    Authorization Attributes

    Authorization:[Endpoints Repository]:Unique-Device-Count

    1

    Authorization:[Time Source]:Now DT

    2017-09-05 11:00:00

    Authorization:[Time Source]:One Day DT

    2017-09-06 11:00:00

    Authorization:[Time Source]:One Month DT

    2017-10-05 11:00:00

    Authorization:[Time Source]:One Week DT

    2017-09-12 11:00:00

    Authorization:[Time Source]:Six Months DT

    2018-03-05 11:00:00

     

    Computed Attributes

    Authentication:ErrorCode

    0

    Authentication:Full-Username

    28b2bdb2a093

    Authentication:Full-Username-Normalized

    28b2bdb2a093

    Authentication:MacAuth

    KnownClient

    Authentication:OuterMethod

    MAC-AUTH

    Authentication:Posture

    Unknown

    Authentication:Source

    [Endpoints Repository]

    Authentication:Status

    MAB

    Authentication:Username

    28b2bdb2a093

    Authorization:Sources

    [Guest User Repository], [Endpoints Repository], [Time Source]

    Connection:AP-Mac

    c8b5adc410a6

    Connection:AP-Name

    c8b5adc410a6

    Connection:Client-Mac-Address

    28B2BDB2A093

    Connection:Client-Mac-Address-Colon

    28:b2:bd:b2:a0:93

    Connection:Client-Mac-Address-Dot

    28b2.bdb2.a093

    Connection:Client-Mac-Address-Hyphen

    28-b2-bd-b2-a0-93

    Connection:Client-Mac-Address-NoDelim

    28b2bdb2a093

    Connection:Client-Mac-Address-Upper-Hyphen

    28-B2-BD-B2-A0-93

    Connection:Client-Mac-Vendor

    Intel Corporate

    Connection:Dest-IP-Address

    192.168.58.30

    Connection:Dest-Port

    1812

    Connection:NAD-IP-Address

    192.168.58.34

    Connection:Protocol

    RADIUS

    Connection:Src-IP-Address

    192.168.58.35

    Connection:Src-Port

    42219

    Connection:SSID

    Thor Central

    Date:Date-Time

    2017-09-05 11:02:41

    Endpoint:Guest Role ID

    1

    Endpoint:Last Known Authentication Type

    wireless

    Endpoint:Last Known Device

    AP: a8:bd:27:c5:e5:46

    Endpoint:Last Known SSID

    Thor Central

    Endpoint:MAC-Auth Expiry

    2017-09-07 23:59:00

    Endpoint:Username

    PWC2TC, PWC2TC

     Overview:

     

     

    overview.PNG

    Enforcement (pretty straight forward)

     

    enforcement.PNG

     

    Mapping:

     

    role mapping.PNG

     

     

     

     



  • 6.  RE: MAC caching - failed to get value for attributes

    EMPLOYEE
    Posted Sep 05, 2017 09:57 AM
    Your configuration looks correct. Best to open a TAC case so they can troubleshoot in realtime.


  • 7.  RE: MAC caching - failed to get value for attributes

    EMPLOYEE
    Posted Sep 06, 2017 03:56 AM

    Not sure where you got this Role Mapping from.

     

    The problem here is that the Guest User Repository is based on username, where the MAC Authentication service is based on MAC address. The attributes AccountEnables and AccountExpired are on the username.

    You only map those in the captive portal service, which is on username; and have a separate mapping on the MAC Authentication service for MAC Caching.

     

    What may help, is to have a look at this workshop video series, where in the Guest part a service, including MAC Caching is created.

     

    For the MAC Caching, only the endpoint repository is queried in the role-mapping:

    (Authorization:[Endpoints Repository]:Unique-Device-Count  EXISTS  ) 
    AND (Authorization:[Time Source]:Now DT  LESS_THAN  %{Endpoint:MAC-Auth Expiry}) 
    AND (Authorization:[Guest User Repository]:AccountExpired  EQUALS  false) 
    AND (Authorization:[Guest User Repository]:AccountEnabled  EQUALS  true)    		 [MAC Caching]

    That field MAC-Auth Expiry is set in the captive portal authentication:

    Endpoint MAC-Auth Expiry = %{Authorization:[Guest User Repository]:ExpireTime}

    So please check your policies, and where you got them from. To me, it looks like you can just remove the two lines that check the Guest User Database. However, that check needs to be done in the Captive Portal service, so make sure you have that rules in place (with separate role-mapping).



  • 8.  RE: MAC caching - failed to get value for attributes

    Posted Sep 06, 2017 04:43 AM

    The strange thing is, that this service is created by the template, so where does this come from?

     

    Even your web video shows the exact same in Guest #2, timestamp https://youtu.be/o6ZrDmSMMOU?t=444

     



  • 9.  RE: MAC caching - failed to get value for attributes

    EMPLOYEE
    Posted Sep 06, 2017 04:52 AM

    Let me check that again in my lab.



  • 10.  RE: MAC caching - failed to get value for attributes

    Posted Sep 06, 2017 05:51 AM

    Have you changed the variables or attributes in the Guest module?

     

    For me it looks like it can't resolve the field that it is using as the username



  • 11.  RE: MAC caching - failed to get value for attributes

    Posted Sep 06, 2017 05:54 AM

    Endpoint:Username

    PWC2TC, PWC2TC

    Your Access-Tracker log shows two usernames for this device. Should only show one from my understanding



  • 12.  RE: MAC caching - failed to get value for attributes

    Posted Sep 06, 2017 06:12 AM
    Field Label Value Display id   username Username: current_state Current State: do_expire Expire Action: email Email Address: enabled Account Status: expired_notify_status Expired Notification: expire_postlogin Account Lifetime: expire_time Expiration Time: notes Notes: remote_addr Create Address: role_id Account Role: role_name Account Role: simultaneous_use Session Limit: source Create Source: sponsor_name Sponsor’s Name: sponsor_profile   sponsor_profile_name Sponsor’s Profile: start_time Activation Time: visitor_carrier Mobile Carrier: visitor_company Company Name: visitor_name Guest’s Name:
    32213221
    PWC2TCPWC2TC
    activeActive
    1Disable at specified time
    xxxx.bexxxx.be
    1Enabled
    11
    0 
    1504821540Thursday, 07 September 2017, 11:59 PM
    PWC account for multiple usersPWC account for multiple users
    172.17.22.249172.17.22.249
    11
    ROLE GuestROLE Guest
    00
    create_usercreate_user
    gg
    11
    Super AdministratorSuper Administrator
    15045264572017-09-04 14:00
      
    PWCPWC
    PWC2TCPWC2TC
     


  • 13.  RE: MAC caching - failed to get value for attributes

    Posted Sep 06, 2017 06:39 AM

    Please check the endpoint database for this client device. Is the username listed in this endpoints entry?



  • 14.  RE: MAC caching - failed to get value for attributes

    Posted Sep 06, 2017 08:03 AM

    Yes, the username is filled in, however it has 2 entries, twice the same



  • 15.  RE: MAC caching - failed to get value for attributes

    EMPLOYEE
    Posted Sep 06, 2017 10:04 AM

    I just retried this scenario in lab, and I see the attributes in the Access Tracker:

    Authorization:[Endpoints Repository]:Unique-Device-Count 1
    Authorization:[Guest User Repository]:AccountEnabled true
    Authorization:[Guest User Repository]:AccountExpired false

    It appears that the username for the lookup in the Guest User Repository is pulled from the Endpoint Database:Username field.

    Endpoint Username = %{Authentication:Username}

    Can you go back to the enforcement profile that sets this value, and check Access Tracker on why it puts the username in twice? Of you look up the account information with a garbled username, I can imagine that it will post errors (and not work).



  • 16.  RE: MAC caching - failed to get value for attributes
    Best Answer

    Posted Sep 07, 2017 10:25 AM

    I just deleted the 2 services and created again using the template wizard + deleted all endpoint associated with the guest ssid, and now it works...