Security

We have encountered an issue where a machine connects to SSID A and performs machine auth successfully.  Prior to the user auth the pc switches to SSID B.  User attempts to auth and receives role restricted.  

 

We think that this result is due to no matching machine auth on SSID B.

Thoughts? 

Thanks.

 

 

The machine authentication ation status of a device is retained regardless of the SSID the device is connected to. It is quite possible that the machine authentication has aged out in clearpass. By default it is 24 hours.

Make sure "Use Cached Results" is checked on the Enforcement tab of the Service if you plan to make use of the prior machine auth state.

We have seen this issue in rare cases and has exposed itself in reporting.  We have machine auth in place for 1000 hours.  So once the machine has authenticated it should be cached between SSID A and B. So regardless of where the user roams machine auth is good and all that is left is the user auth.

Its as if there is another secure or security related item that we have overlooked or some issue with a small percentage of clients.

 

Use cached results is checked on the enforcement tab of the service per rfiler response.

 

Thanks

 

 

 

 

 

 

KL,

Are you doing the machine authentication checking on both SSIDs? Do you have a different service for each SSID or are you using a radius attribute to enforce different policies between different SSIDs. Actually, why do you have two different 802.1x SSIDs, anyway?