- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Subscription ID and guest services
Subscription ID and guest services
01-12-2016 08:55 AM
We are running to 6.4.7 Clearpass VMs with 10k policy manager licensees (2291 being used) and 50 enterprise licenses for guest access ( 4 of which are being used).
Just found out our Subscription ID is expired. We are having an issue with guest users getting invalid username and password errors after completing guest registration.
Nothing has changed and our licenses are ok as well.
My question is does the subscription ID affect the guest access function? Does guest access quit working when the subscription is expired?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Subscription ID and guest services
Re: Subscription ID and guest services
01-12-2016 10:18 AM
The subscription ID only pertains to updates. You should check Access Tracker to find out why the guest authentications are failing.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Subscription ID and guest services
Re: Subscription ID and guest services
01-12-2016 10:25 AM
It just says unknown even after successfully signing up for a Guest account and trying to login.
It worked perfectly fine up until the last month or so. Which was when our subscription ended roughly
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Subscription ID and guest services
Re: Subscription ID and guest services
01-12-2016 11:43 AM
we had several instances were the subscription was expired and it never affected auths.
something seems pretty wrong looking at those messages, open a TAC case if you can, which might be tricky if your support expired.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Subscription ID and guest services
Re: Subscription ID and guest services
01-12-2016 12:39 PM
After digging further heres what Ive found out
It passes authentication if you change the email address, which is what we use for usernames.
I tried 2 different email addresses. The one at yahoo worked, my work email did not. (see screenshot)
This also seems to be happening only on Apple devices.
Android and Windows appear to function just fine.
I have cleared the cache on clearpass thinking this would help but still have issues with work email being used as a username, personal email passes authentication
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Subscription ID and guest services
Re: Subscription ID and guest services
01-12-2016 06:26 PM
Troy
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Subscription ID and guest services
Re: Subscription ID and guest services
01-13-2016 07:24 AM
Well when using personal email address it updates the endpoint and passes authentication.
When I use work email address it gives error code 206, sometimes 216 denied by policy.
We are using MAC caching.
I attached our service rules.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Subscription ID and guest services
Re: Subscription ID and guest services
01-13-2016 07:28 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Subscription ID and guest services
Re: Subscription ID and guest services
01-13-2016 07:38 AM
it used to work fine with work email addresses or personal addresses. Now it is rejecting them for some unknown reason.
I even increased the number of unique devices able to connect, deleted all cached sources, deleted all guest account and still having issues.
We never had to use a qualified username in the past and it just worked.
We created an AD group to allow service desk staff to login without creating a full account to register mobile devices with Airwatch. Thats why it looks to AD
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Subscription ID and guest services
Re: Subscription ID and guest services
01-13-2016 07:44 AM
It's likely because your auth source is using sAMAcccountName which will not match UPN.
Duplicate your AD auth source and change the authentication filter to this:
(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))
Add that to your web login service and see if it works for you.
We can't use strip username rules in this case becaues of the guest emails.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator