Security

Reply
Contributor I
Posts: 80
Registered: ‎04-29-2013

No Enforcement Profile given in ClearPass

We are in the beginning of a ClearPass rollout, with HP 3800's as our access layer. We have a MAC list for phones, and those are working via mac-based auth. Right now there is a pilot of one port - mine - using ClearPass. My laptop is plugged into the back of the phone, and although I get online and placed in the correct vlan, there is no actual enforcement profile given in the Access Tracker. I am also seeing this in the logs:

 

2016-05-06 13:37:26,721[RequestHandler-1-0x7fddcf5fa700 h=5059398 c=R00025174-01-572ce466] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
2016-05-06 13:37:26,722[RequestHandler-1-0x7fddcf5fa700 r=R00025174-01-572ce466 h=5059397 c=R00025174-01-572ce466] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
2016-05-06 13:37:26,722[AuthReqThreadPool-10-0x7fde4cf44700 r=R00025174-01-572ce466 h=42] ERROR ExtDB.DBQuery - ResultSet is empty
2016-05-06 13:37:26,722[AuthReqThreadPool-10-0x7fde4cf44700 r=R00025174-01-572ce466 h=42] ERROR ExtDB.DBQuery - Failed to get value for attributes=Owner]

Any ideas what might be going on there? the only thing I could find on this site was to verify that the Insight Repository was an authorization source in the service, and it is.

 

TIA,

 

Russell

Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: No Enforcement Profile given in ClearPass

Can you post a screenshot of the expanded output tab? 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: No Enforcement Profile given in ClearPass

[ Edited ]

Sure thing. Just in case, here is also the relevant HP switch portion of the config:

 

aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system start-stop radius
aaa authentication login privilege-mode
aaa authentication console login tacacs local
aaa authentication console enable tacacs local
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local
aaa authentication port-access eap-radius
aaa port-access gvrp-vlans
aaa port-access authenticator 1/9
aaa port-access authenticator 1/9 quiet-period 5
aaa port-access authenticator 1/9 logoff-period 862400
aaa port-access authenticator 1/9 client-limit 5
aaa port-access authenticator active
aaa port-access mac-based 1/9
aaa port-access mac-based 1/9 addr-limit 5
aaa port-access mac-based 1/9 logoff-period 862400
aaa port-access mac-based 1/9 quiet-period 30
aaa port-access mac-based addr-format single-dash
aaa port-access 1/9 mixed

 

Thanks

Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: No Enforcement Profile given in ClearPass

That looks like the web auth service handling the health check. You should also have a separate MAC auth servic. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: No Enforcement Profile given in ClearPass

it fails mac auth because only the phones are supposed to mac auth, but here it is failing the mac auth.

Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: No Enforcement Profile given in ClearPass

Sorry, I'm not following. So the phone is being MAC authenticated and the laptop is doing 802.1X?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: No Enforcement Profile given in ClearPass

That is correct

Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: No Enforcement Profile given in ClearPass

What does the expanded output tab of the 802.1X request look like?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: No Enforcement Profile given in ClearPass

That was the first picture I attached.

 

Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: No Enforcement Profile given in ClearPass

Please export the 802.1X access tracker request and post.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: