Security

Reply
Occasional Contributor I

Subscription ID and guest services

We are running to 6.4.7 Clearpass VMs with 10k policy manager licensees (2291 being used) and 50 enterprise licenses for guest access ( 4 of which are being used).

 

Just found out our Subscription ID is expired. We are having an issue with guest users getting invalid username and password errors after completing guest registration.

 

Nothing has changed and our licenses are ok as well.

 

My question is does the subscription ID affect the guest access function? Does guest access quit working when the subscription is expired?

Aruba Employee

Re: Subscription ID and guest services

The subscription ID only pertains to updates. You should check Access Tracker to find out why the guest authentications are failing.

Occasional Contributor I

Re: Subscription ID and guest services

It just says unknown even after successfully signing up for a Guest account and trying to login.

 

It worked perfectly fine up until the last month or so. Which was when our subscription ended roughly

Re: Subscription ID and guest services

we had several instances were the subscription was expired and it never affected auths.

 

something seems pretty wrong looking at those messages, open a TAC case if you can, which might be tricky if your support expired.

Occasional Contributor I

Re: Subscription ID and guest services

After digging further heres what Ive found out

 

It passes authentication if you change the email address, which is what we use for usernames.

 

I tried 2 different email addresses. The one at yahoo worked, my work email did not. (see screenshot)

 

This also seems to be happening only on Apple devices.

 

Android and Windows appear to function just fine.

 

I have cleared the cache on clearpass thinking this would help but still have issues with work email being used as a username, personal email passes authentication

 

 

Aruba

Re: Subscription ID and guest services

What was the reason for the rejection
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I

Re: Subscription ID and guest services

Well when using personal email address it updates the endpoint and passes authentication.

 

When I use work email address it gives error code 206, sometimes 216 denied by policy.

We are using MAC caching.

 

I attached our service rules.

Guru Elite

Re: Subscription ID and guest services

Are they using their fully qualified username? (username@domain.com)

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Subscription ID and guest services

it used to work fine with work email addresses or personal addresses. Now it is rejecting them for some unknown reason.

 

I even increased the number of unique devices able to connect, deleted all cached sources, deleted all guest account and still having issues.

 

We never had to use a qualified username in the past and it just worked.

 

We created an AD group to allow service desk staff to login without creating a full account to register mobile devices with Airwatch. Thats why it looks to AD

Guru Elite

Re: Subscription ID and guest services

It's likely because your auth source is using sAMAcccountName which will not match UPN.

 

Duplicate your AD auth source and change the authentication filter to this:

 

(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))

upn-adauth.PNG

 

Add that to your web login service and see if it works for you.

 

We can't use strip username rules in this case becaues of the guest emails.

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: