Security

Reply
KDI
Contributor I
Posts: 25
Registered: ‎02-02-2015

Unique Clearpass authentication issue. Switching ssid's between a machine auth and a user auth.

We have encountered an issue where a machine connects to SSID A and performs machine auth successfully.  Prior to the user auth the pc switches to SSID B.  User attempts to auth and receives role restricted.  

 

We think that this result is due to no matching machine auth on SSID B.

Thoughts? 

Thanks.

 

 

Guru Elite
Posts: 20,018
Registered: ‎03-29-2007

Re: Unique Clearpass authentication issue. Switching ssid's between a machine auth and a user auth.

The machine authentication ation status of a device is retained regardless of the SSID the device is connected to. It is quite possible that the machine authentication has aged out in clearpass. By default it is 24 hours.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Aruba Employee
Posts: 33
Registered: ‎11-01-2012

Re: Unique Clearpass authentication issue. Switching ssid's between a machine auth and a user auth.

Make sure "Use Cached Results" is checked on the Enforcement tab of the Service if you plan to make use of the prior machine auth state.

KDI
Contributor I
Posts: 25
Registered: ‎02-02-2015

Re: Unique Clearpass authentication issue. Switching ssid's between a machine auth and a user auth.

We have seen this issue in rare cases and has exposed itself in reporting.  We have machine auth in place for 1000 hours.  So once the machine has authenticated it should be cached between SSID A and B. So regardless of where the user roams machine auth is good and all that is left is the user auth.

Its as if there is another secure or security related item that we have overlooked or some issue with a small percentage of clients.

 

Use cached results is checked on the enforcement tab of the service per rfiler response.

 

Thanks

 

 

 

 

 

 

Guru Elite
Posts: 20,018
Registered: ‎03-29-2007

Re: Unique Clearpass authentication issue. Switching ssid's between a machine auth and a user auth.

KL,

Are you doing the machine authentication checking on both SSIDs? Do you have a different service for each SSID or are you using a radius attribute to enforce different policies between different SSIDs. Actually, why do you have two different 802.1x SSIDs, anyway?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: