Security

Reply
New Contributor
Posts: 4
Registered: ‎08-29-2014

Mac Caching Error

Hello Guys,

 

Good day. Need some help here, I am trying to achieve the following:

1/ Mac Authentication via Wired / Wireless (Open Authentication) - Working

2/ Allow a mac authenticated devices to have access for 90 days - Having error

*Note my testbed are set to 15 minutes for testing purpose

 

Here is the screenshot of my Enforcement Rules:

20150729-CPPM-Enforcement.png

 

The error I am getting:

20150729-CPPM-Insight-Error.png

 

Once I removed the above Enforcement rules and add a simple [Authenticated Source = Vendor Authentication], everything seems to work perfectly normal.

 

Need some help to get it working, at the moment cannot seems to figure out what is wrong :(

 

Thanks in advance :)

 

MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: Mac Caching Error

Make sure you have the following enabled:
- Insight in CPPM
- Interim Accounting in CPPM
- Accounting in the WLC and Switches
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor
Posts: 4
Registered: ‎08-29-2014

Re: Mac Caching Error


victorfabian wrote:
Make sure you have the following enabled:
- Insight in CPPM
- Interim Accounting in CPPM
- Accounting in the WLC and Switches

Hmm I have check that the following are enabled. But I am still getting the same error :(

 

ClearPass:

Interim Accounting is Enable (Service Parameters -> Log Accounting Interim-Update Packets = True)

Insight is Enable

 

WLC

Interim Accounting is Enable

Accounting Server Group are pointing to the right CPPM Server

 

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: Mac Caching Error

Can you clarify whether you are doing any captive portal authentication prior to the MAC caching?

If you are just doing MAC authentication then I am not sure you can check the 'minutes-since-auth' attribute as this is not updated for a MAC authentication.

 

Can you post screenshots from the other tabs of your MAC auth service?

David
ACDX #98 | ACMP | ACCP
New Contributor
Posts: 4
Registered: ‎08-29-2014

Re: Mac Caching Error


dg27 wrote:

Can you clarify whether you are doing any captive portal authentication prior to the MAC caching?

If you are just doing MAC authentication then I am not sure you can check the 'minutes-since-auth' attribute as this is not updated for a MAC authentication.

 

Can you post screenshots from the other tabs of your MAC auth service?


Hmm I am not using Captive Portal Authentication for this case, just purely Mac Authentication.

 

I see, now I have a rough understanding. Looking at the error it seems like the attribute are not captured from the end point side. Hence CPPM cannot pull the information out to check.

 

So I have actually enable Captive Portal for this case, in order for for "minutes-since-auth" attribute to work?

 

Thanks :)

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: Mac Caching Error

The minutes-since-auth field is used to identify the last time a user logged on with their username and password so this would require a captive portal.

 

What do you want to do with devices after the 90 days? Disconnect them? They would only reconnect again automatically unless you blacklisted them.

 

You could enforce a session timeout using the Radius:IETF Session-Timeout attribute in an enforcement profile but this requires the NAS client to support the authentication server setting the reauthentication interval. Again this would only disconnect the client temporarily as it is likely to automatically reconnect unless something is preventing them from doing this.

 

David
ACDX #98 | ACMP | ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: