Security

Reply

mac authentication with clearpass

im trying to do someting really simple and is a mac authentication iwth clearpass

If the user has the mac on the endpoint repository with device type staff its good

if the endpoint does not have this devicetype staff, it would get the default policy which is deny access

i see on the clearpass that is doing what it should, if it has the device type it authenticating if he does not have it it give it the deny profile and rejecting it

But in the controller i see the user connect even if the clearpass send it a deny profile and i dont get whtas wrong on it.

On the controller is getting the initial role

Here is the service

isp1.PNGisp2.PNG

isp3.PNGisp4.PNG

isp5.PNG

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp

Re: mac authentication with clearpass

Do you have a denyall role as an initial role ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: mac authentication with clearpass

Also, be sure the role you're returning exists on the controller.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: mac authentication with clearpass

No, sobit takes the initial role if the clearpass deny it?
But i thoguht that it wil just reject him not assign it the initial role.

Does this consume a policy manager licence?? Even if it reject it? I understand that it only consume it if in clearpass the auth is successful
----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite

Re: mac authentication with clearpass

Rejected MAC authentications will drop the user to the initial role. Rejected authentications do not consume base licenses.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: mac authentication with clearpass

Thanks Tim, Victor, i just didnt know that it took the initial role when the user was rejected by clearpass.  I though that the controller will just not let him connect...

Anyways when i put the denyall role it wont let him connect anyways... i though i would see it on the user table with deny role but is not like that either.. now those pcs are not able to connect

Thank you again!

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp

Re: mac authentication with clearpass

The user will need to have an ip to show up in the user table and the denyall is denying everything including DHCP

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: mac authentication with clearpass

true that

That was a silly question....

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: