Wireless Access

We have an Aruba Clearpass along with Aruba WLCs.  Guest users come up on the wireless network and hit a landing page where the sign-in to the network.  They in put their information, hit submit, and get the screen with the login button.  When they hit the login button, though, they're sent back to the sign-in screen.  There are no errors presented to the EU.

 

In the Clearpass Policy manager, I see that the user's login has been rejected.  The alert is typically that the user's account has expired/disabled.  These are users that are working just fine one day but not the next and without anyone even logging into Clearpass.  I had one this morning (Monday) after being out of the facility for 3 or 4 days at least.

 

To fix it, I went into the endpoints database (Identity/Endpoints) and remeoved his MAC address from the cached address list.  There are upwards of 18,000 in there, most listed as Unknown/Unprofiled.  This user's was listed as Known but unprofiled and he was listed as offline.

 

There was previously a timeout of 5 minutes on the caching that Aruba recommended we drop to 1 minute; I actually dropped it to 15 seconds.  This user made attempts that aree under a minute to as many as 9 minutes apart.

 

Any suggestions?

So in all cases where the user is redirected, there is a reject? Are all of
the accounts disabled in AD?

It would appear that in all cases there is a reject message.  Here is what this one received:

 

Cannot select appropriate authentication method
AUTHORIZATION: User account expired/disabled

 

As soon as I deleted his MAC from the endpoints database, and he closed all his browsers, he signed in just fine.  The accounts are unchanged; they are active in AD and typically just used wireless the day before.

Sounds like you have MAC Caching/endpoint tagging enabled and for some reason it is not working when a user logs in.

 

It's hard to say what the issue is, but it sounds like there must an error in the logic of your service in either role mapping or enforcement profile. If clearing the endpoint makes this work, i would assume that your service is referencing a feild in the Endpoint database and failing for some reason.

 

Can you post a screen shot of your Service and possible the tracker error. Anything on the CPPM Event viewer logs?

 

To confirm, this is working sometimes, but fails other times when a user has a Endpoint in the DB?

 

_ELiasz

First, to let you know with apologies in advance...I'm a bit new to Clearpass so please bear with me if I'm unsure what you're looking for (you may need to be a little more explicit for me to track to your question).  

 

Here are the screen caps of the Services dialog and the error in Access Tracker.  Everything in the Event Viewer is just info entries; AV/AS updates, JAMF endpoint details updated, firmware/hotfix updates available...that sort of thing.  Nothing particularly interesting around the time of the errors.

 

 

No problem, it's got a lot of options and it's easy to get lost at first.

 

In your second image under summary it should say which service was hit. My guess would be MHE Guest Access with MAC Caching, but could also be MHE-Data Aruba 802.1X

 

Find in the tracker which service was hit, then go to your services page and go into that service. From there we would want to see what is in the Authentication, Roles, and Enforcement tabs. This is where the logic is of how the user is authenticated. You can blank out any sensitive information if you don't want to post that.

 

_ELiasz

Yes; it is Guest Access with Mac Caching.  Here are the shots:

 

 

 

Is this the MHE Guest MAC Authentication service or the MHE Guest Access with MAC Caching?

I think this might be the Guest MAC Authentication service since it is referencing the Endpoint database in the roles tab. For a new guest there would not be an endpoint so it makes no sense to check the endpoint.

If this is infact the Guest access with MAC Caching i believe your role map is incorrect. Since this is a web login they will exist in the Guest DB not the endpoint DB.

You role mapping should be referencing the GuestUser:Role ID.

Do you have another Role Mapping policy in the drop down that is based on GuestUser rather then Endpoint?

---

@ELiasz wrote:

Is this the MHE Guest MAC Authentication service or the MHE Guest Access with MAC Caching?

I think this might be the Guest MAC Authentication service since it is referencing the Endpoint database in the roles tab. For a new guest there would not be an endpoint so it makes no sense to check the endpoint.

If this is infact the Guest access with MAC Caching i believe your role map is incorrect. Since this is a web login they will exist in the Guest DB not the endpoint DB.

You role mapping should be referencing the GuestUser:Role ID.

Do you have another Role Mapping policy in the drop down that is based on GuestUser rather then Endpoint?

---

Eliasz - I posted some screen shots that should help.  This is guest with MAC caching.

Can we also see a screencap of the access tracker failed attempt summary page? what's TIPS roles are assigned?

Try increasing the value for the amount of unique devices or delete those devices from the guest repository 

---

@victorfabian wrote:

Try increasing the value for the amount of unique devices or delete those devices from the guest repository 

---

Where is this value stored?

I believe its in the endpoint repository. I think he meant that in your enforcment profile you should change the enforcment rule to a higher value. It's In the 3rf screenshot you posted above.