Security

Reply
Contributor I

MAC caching - failed to get value for attributes

I'm trying to setup guest login with MAC caching using the template, but I keep getting following error in access tracker.

Policy serverFailed to get value for attributes=[AccountEnabled, AccountExpired]

 When I delete the check for AccountEnabled and AccountExpired, it works fine and the MAC gets cached.

Insight is enabled.

 

The endpoint is known and in the endpoint repo, the Authorization contains Endpoint repo, time source and Guest user repo.

All is done via the template, so I don't know where to start.
We are using 1 user for about 200-300 devices,  but that is working fine.
Guru Elite

Re: MAC caching - failed to get value for attributes

Is [Guest User Repository] set up as an additional authorization source?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: MAC caching - failed to get value for attributes

Yes

Guru Elite

Re: MAC caching - failed to get value for attributes

Please share a screenshot of the access tracker request and also your service configuration.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: MAC caching - failed to get value for attributes

Output from access tracker:

 

Username:

28b2bdb2a093

End-Host Identifier:

28B2BDB2A093

(Computer / Windows / Windows)

Access Device IP/Port:

192.168.58.34:0

(wanaka.genk.be / Aruba)

 

RADIUS Request

Radius:Aruba:Aruba-AP-Group

apgrp_thorpark

Radius:Aruba:Aruba-Essid-Name

Thor Central

Radius:Aruba:Aruba-Location-Id

c8:b5:ad:c4:10:a6

Radius:IETF:Called-Station-Id

000B86B7F4F7

Radius:IETF:Calling-Station-Id

28B2BDB2A093

Radius:IETF:NAS-IP-Address

192.168.58.34

Radius:IETF:NAS-Port

0

Radius:IETF:NAS-Port-Type

19

Radius:IETF:Service-Type

10

Radius:IETF:User-Name

28b2bdb2a093

 

Authorization Attributes

Authorization:[Endpoints Repository]:Unique-Device-Count

1

Authorization:[Time Source]:Now DT

2017-09-05 11:00:00

Authorization:[Time Source]:One Day DT

2017-09-06 11:00:00

Authorization:[Time Source]:One Month DT

2017-10-05 11:00:00

Authorization:[Time Source]:One Week DT

2017-09-12 11:00:00

Authorization:[Time Source]:Six Months DT

2018-03-05 11:00:00

 

Computed Attributes

Authentication:ErrorCode

0

Authentication:Full-Username

28b2bdb2a093

Authentication:Full-Username-Normalized

28b2bdb2a093

Authentication:MacAuth

KnownClient

Authentication:OuterMethod

MAC-AUTH

Authentication:Posture

Unknown

Authentication:Source

[Endpoints Repository]

Authentication:Status

MAB

Authentication:Username

28b2bdb2a093

Authorization:Sources

[Guest User Repository], [Endpoints Repository], [Time Source]

Connection:AP-Mac

c8b5adc410a6

Connection:AP-Name

c8b5adc410a6

Connection:Client-Mac-Address

28B2BDB2A093

Connection:Client-Mac-Address-Colon

28:b2:bd:b2:a0:93

Connection:Client-Mac-Address-Dot

28b2.bdb2.a093

Connection:Client-Mac-Address-Hyphen

28-b2-bd-b2-a0-93

Connection:Client-Mac-Address-NoDelim

28b2bdb2a093

Connection:Client-Mac-Address-Upper-Hyphen

28-B2-BD-B2-A0-93

Connection:Client-Mac-Vendor

Intel Corporate

Connection:Dest-IP-Address

192.168.58.30

Connection:Dest-Port

1812

Connection:NAD-IP-Address

192.168.58.34

Connection:Protocol

RADIUS

Connection:Src-IP-Address

192.168.58.35

Connection:Src-Port

42219

Connection:SSID

Thor Central

Date:Date-Time

2017-09-05 11:02:41

Endpoint:Guest Role ID

1

Endpoint:Last Known Authentication Type

wireless

Endpoint:Last Known Device

AP: a8:bd:27:c5:e5:46

Endpoint:Last Known SSID

Thor Central

Endpoint:MAC-Auth Expiry

2017-09-07 23:59:00

Endpoint:Username

PWC2TC, PWC2TC

 Overview:

 

 

overview.PNG

Enforcement (pretty straight forward)

 

enforcement.PNG

 

Mapping:

 

role mapping.PNG

 

 

 

 

Guru Elite

Re: MAC caching - failed to get value for attributes

Your configuration looks correct. Best to open a TAC case so they can troubleshoot in realtime.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: MAC caching - failed to get value for attributes

Not sure where you got this Role Mapping from.

 

The problem here is that the Guest User Repository is based on username, where the MAC Authentication service is based on MAC address. The attributes AccountEnables and AccountExpired are on the username.

You only map those in the captive portal service, which is on username; and have a separate mapping on the MAC Authentication service for MAC Caching.

 

What may help, is to have a look at this workshop video series, where in the Guest part a service, including MAC Caching is created.

 

For the MAC Caching, only the endpoint repository is queried in the role-mapping:

(Authorization:[Endpoints Repository]:Unique-Device-Count  EXISTS  ) 
AND (Authorization:[Time Source]:Now DT  LESS_THAN  %{Endpoint:MAC-Auth Expiry}) 
AND (Authorization:[Guest User Repository]:AccountExpired  EQUALS  false) 
AND (Authorization:[Guest User Repository]:AccountEnabled  EQUALS  true)
[MAC Caching]

That field MAC-Auth Expiry is set in the captive portal authentication:

Endpoint MAC-Auth Expiry = %{Authorization:[Guest User Repository]:ExpireTime}

So please check your policies, and where you got them from. To me, it looks like you can just remove the two lines that check the Guest User Database. However, that check needs to be done in the Captive Portal service, so make sure you have that rules in place (with separate role-mapping).

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Contributor I

Re: MAC caching - failed to get value for attributes

The strange thing is, that this service is created by the template, so where does this come from?

 

Even your web video shows the exact same in Guest #2, timestamp https://youtu.be/o6ZrDmSMMOU?t=444

 

Re: MAC caching - failed to get value for attributes

Let me check that again in my lab.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Contributor II

Re: MAC caching - failed to get value for attributes

Have you changed the variables or attributes in the Guest module?

 

For me it looks like it can't resolve the field that it is using as the username


Sven
ACMX #754, ACCX #726, ACSA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: