01-12-2016 08:55 AM
We are running to 6.4.7 Clearpass VMs with 10k policy manager licensees (2291 being used) and 50 enterprise licenses for guest access ( 4 of which are being used).
Just found out our Subscription ID is expired. We are having an issue with guest users getting invalid username and password errors after completing guest registration.
Nothing has changed and our licenses are ok as well.
My question is does the subscription ID affect the guest access function? Does guest access quit working when the subscription is expired?
01-12-2016 10:25 AM
It just says unknown even after successfully signing up for a Guest account and trying to login.
It worked perfectly fine up until the last month or so. Which was when our subscription ended roughly
01-12-2016 11:43 AM
we had several instances were the subscription was expired and it never affected auths.
something seems pretty wrong looking at those messages, open a TAC case if you can, which might be tricky if your support expired.
01-12-2016 12:39 PM
After digging further heres what Ive found out
It passes authentication if you change the email address, which is what we use for usernames.
I tried 2 different email addresses. The one at yahoo worked, my work email did not. (see screenshot)
This also seems to be happening only on Apple devices.
Android and Windows appear to function just fine.
I have cleared the cache on clearpass thinking this would help but still have issues with work email being used as a username, personal email passes authentication
01-12-2016 06:26 PM
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
01-13-2016 07:24 AM
01-13-2016 07:38 AM
it used to work fine with work email addresses or personal addresses. Now it is rejecting them for some unknown reason.
I even increased the number of unique devices able to connect, deleted all cached sources, deleted all guest account and still having issues.
We never had to use a qualified username in the past and it just worked.
We created an AD group to allow service desk staff to login without creating a full account to register mobile devices with Airwatch. Thats why it looks to AD
01-13-2016 07:44 AM
It's likely because your auth source is using sAMAcccountName which will not match UPN.
Duplicate your AD auth source and change the authentication filter to this:
Add that to your web login service and see if it works for you.
We can't use strip username rules in this case becaues of the guest emails.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP