Wireless Access

Reply
JNJ
Occasional Contributor I
Posts: 6
Registered: ‎03-09-2015

Users login to Clearpass then go back to sign-in screen.

We have an Aruba Clearpass along with Aruba WLCs.  Guest users come up on the wireless network and hit a landing page where the sign-in to the network.  They in put their information, hit submit, and get the screen with the login button.  When they hit the login button, though, they're sent back to the sign-in screen.  There are no errors presented to the EU.

 

In the Clearpass Policy manager, I see that the user's login has been rejected.  The alert is typically that the user's account has expired/disabled.  These are users that are working just fine one day but not the next and without anyone even logging into Clearpass.  I had one this morning (Monday) after being out of the facility for 3 or 4 days at least.

 

To fix it, I went into the endpoints database (Identity/Endpoints) and remeoved his MAC address from the cached address list.  There are upwards of 18,000 in there, most listed as Unknown/Unprofiled.  This user's was listed as Known but unprofiled and he was listed as offline.

 

There was previously a timeout of 5 minutes on the caching that Aruba recommended we drop to 1 minute; I actually dropped it to 15 seconds.  This user made attempts that aree under a minute to as many as 9 minutes apart.

 

Any suggestions?

Guru Elite
Posts: 8,648
Registered: ‎09-08-2010

Re: Users login to Clearpass then go back to sign-in screen.

So in all cases where the user is redirected, there is a reject? Are all of
the accounts disabled in AD?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
JNJ
Occasional Contributor I
Posts: 6
Registered: ‎03-09-2015

Re: Users login to Clearpass then go back to sign-in screen.

It would appear that in all cases there is a reject message.  Here is what this one received:

 

Cannot select appropriate authentication method
AUTHORIZATION: User account expired/disabled

 

As soon as I deleted his MAC from the endpoints database, and he closed all his browsers, he signed in just fine.  The accounts are unchanged; they are active in AD and typically just used wireless the day before.

Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

Re: Users login to Clearpass then go back to sign-in screen.

[ Edited ]

Sounds like you have MAC Caching/endpoint tagging enabled and for some reason it is not working when a user logs in.

 

It's hard to say what the issue is, but it sounds like there must an error in the logic of your service in either role mapping or enforcement profile. If clearing the endpoint makes this work, i would assume that your service is referencing a feild in the Endpoint database and failing for some reason.

 

Can you post a screen shot of your Service and possible the tracker error. Anything on the CPPM Event viewer logs?

 

To confirm, this is working sometimes, but fails other times when a user has a Endpoint in the DB?

 

_ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
JNJ
Occasional Contributor I
Posts: 6
Registered: ‎03-09-2015

Re: Users login to Clearpass then go back to sign-in screen.

First, to let you know with apologies in advance...I'm a bit new to Clearpass so please bear with me if I'm unsure what you're looking for (you may need to be a little more explicit for me to track to your question).  

 

Here are the screen caps of the Services dialog and the error in Access Tracker.  Everything in the Event Viewer is just info entries; AV/AS updates, JAMF endpoint details updated, firmware/hotfix updates available...that sort of thing.  Nothing particularly interesting around the time of the errors.

 

CP-Service.jpg

 

CP-Error.jpg

Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

Re: Users login to Clearpass then go back to sign-in screen.

No problem, it's got a lot of options and it's easy to get lost at first.

 

In your second image under summary it should say which service was hit. My guess would be MHE Guest Access with MAC Caching, but could also be MHE-Data Aruba 802.1X

 

Find in the tracker which service was hit, then go to your services page and go into that service. From there we would want to see what is in the Authentication, Roles, and Enforcement tabs. This is where the logic is of how the user is authenticated. You can blank out any sensitive information if you don't want to post that.

 

_ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
JNJ
Occasional Contributor I
Posts: 6
Registered: ‎03-09-2015

Re: Users login to Clearpass then go back to sign-in screen.

Yes; it is Guest Access with Mac Caching.  Here are the shots:

 

CP-Services-Auth.png

CP-Services-Roles.png

CP-Services-Enf.png

 

 

Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

Re: Users login to Clearpass then go back to sign-in screen.

Is this the MHE Guest MAC Authentication service or the MHE Guest Access with MAC Caching?

I think this might be the Guest MAC Authentication service since it is referencing the Endpoint database in the roles tab. For a new guest there would not be an endpoint so it makes no sense to check the endpoint.

If this is infact the Guest access with MAC Caching i believe your role map is incorrect. Since this is a web login they will exist in the Guest DB not the endpoint DB.

You role mapping should be referencing the GuestUser:Role ID.

Do you have another Role Mapping policy in the drop down that is based on GuestUser rather then Endpoint?

-------------------
ACDX, ACCP, CISSP, CWNA
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Users login to Clearpass then go back to sign-in screen.

Try increasing the value for the amount of unique devices or delete those devices from the guest repository 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
JNJ
Occasional Contributor I
Posts: 6
Registered: ‎03-09-2015

Re: Users login to Clearpass then go back to sign-in screen.


victorfabian wrote:

Try increasing the value for the amount of unique devices or delete those devices from the guest repository 


Where is this value stored?

Search Airheads
Showing results for 
Search instead for 
Did you mean: