last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass - WLC host/user authentication

This thread has been viewed 34 times
  • 1.  ClearPass - WLC host/user authentication

    Posted Oct 30, 2020 09:20 AM
    Hi community,

    i am new here and if this is not appropriate forum please let me know.

    I am facing a little "cosmetic" issue in our clearpass/wlc setup.
    Let me introduce - we have 2 CP, 2 WLC7210 managed by vWMM. Our clients are mostly wired clients connected to 2930F in tunneled node mode.

    I configured policy that authenticate endpoints using 802.1X and role assigned to endpoint depends if there is successful host or user authentication (it is little bit simplified but  its like that).
    Now, I have a policy that windows clients they start with PEAP authentication using machine or username.
    I can see on clearpass, that the process of authentication is like this:
    1. Machine boots up and authenticate itself as machine - 29.10. 7:15
    2. User logs in and authenticate himself as user mobu2  - 29.10.  7:16
    3. User logs out and machine authenticate itself as machine - no happened right now

    When endpoint is authenticated as machine, it receive role DomainPC via DUR enforcement profile.
    When endpoint is authenticated as user, he receive role Employee via DUR enforcement profile.

    All is working fine as far as I can say - the roles are assigned correctly and policies are enforced on WLC also correctly. The issue is, what is displayed in WLC GUI, resp. in CLI user table.
    I can see the endpoint has correctly assinged role of Employee, but authentication field is still filled with machine authentication username. Bellow is screenshot from WLC clients page ( btw, the same is visible in airwave, and the same is in CLI show user-table)

    This is scenario for appx 90% of endpoint of this type. Rest of the clients are displayed correctly as user authenticated and with correct role:

    And also when user do not logs in - i can see that such computers are correctly displayed as machine authenticated with DomainPC role:

    I am worrying about that because it is confusing for helpesk operators and it is definitely not correctly displayed info.
    Does something like this happened also to you? Is this some kind of bug, or am I missing some configuration?

    Just for info: Clearpass 6.8.5, WLC

    Thanks a lot for

    Tomas Backo

  • 2.  RE: ClearPass - WLC host/user authentication

    Posted Oct 30, 2020 08:34 PM

    Try sending back the RADIUS User-Name in the enforcement profile when the user authenticates. See below.

    Radius:IETF User-Name = %{Authentication:Full-Username}

    Zak Emerick

  • 3.  RE: ClearPass - WLC host/user authentication

    Posted Nov 03, 2020 05:02 AM
    Hi Zak,

    thank you for your time. We are using tunneled-node-server configuration, so my enforcement profile looks like this:

    I am not sure, how do you mean it  - I am unable to send radius:ietf value using above profile to switch. Also, on the switch itself, I can see that username and role mapping is correctly updated after user authentication. Just WLC seems to not be updated - but I am not sure how I can update WLC - as the only interaction between ClearPass and WLC is via Switch downloadable user role profile displayed above.

    Thank you for you help!

    Tomas Backo

  • 4.  RE: ClearPass - WLC host/user authentication

    Posted Nov 03, 2020 05:24 PM
    Create another enf profile to send back the username. It doesn't matter if it is a switch or WLC.

    ACCX #1239 || ACEP || ACSP || CWNA || CWSP

  • 5.  RE: ClearPass - WLC host/user authentication

    Posted Nov 04, 2020 09:01 AM
    Hi Zak,

    I did it exactly how you said - so additional profile with radius username, and assigned it to the same role mapping policy. 
    This is how radius request looks like now. You can see that both enforcement profiles where assigned.
    User is sucessfully authenticated but, still on WLC i can see that the client is host authenticated. Thank you for your inputs.


    This is what I can see on WLC client status page:

    This is shortened output from switch port where the device is connected:
    SK-DR41-01# sh port-access clients 3 detailed
       Port            : 3                     Authentication Type : 802.1x
       Client Status   : authenticated         Session Time        : 909 seconds
       Client name     : XXXX\sloarms      Session Timeout     : 0 seconds
       MAC Address     : dc4a3e-516641
       IP              : 10.x.x.x
       Downloaded user roles are preceded by *
     User Role Information
       Name                              : XXXX_DUR_Employee-3014-3
       Tunnelednode Server Redirect      : Enabled
       Secondary Role Name               : XXXX_Employee

    And this is output of show user-table on WLC:
    show user-table mac dc:4a:3e:51:66:41
        IP           MAC            Name                             Role           Age(d:h:m)  Auth            
    10.X.X.X  dc:4a:3e:51:66:41  host/XXXXSLOFAB21.XXXXEURO.LOCAL  XXXX_Employee  79:08:41    Tunneled-User-802.1X 

    Tomas Backo

  • 6.  RE: ClearPass - WLC host/user authentication

    Posted Nov 04, 2020 03:27 PM
    This may be a bug, I will have to put this in my lab to confirm. 

    The RADIUS:IETF User-Name attribute should take precedence over everything else.  However, it seems like the switch is only passing up the first authenticated user for that particular MAC-Address. 

    Over time, does the controller ever update with the correct username? 8.x has had its issues with UI bugs.

    ACCX #1239 || ACEP || ACSP || CWNA || CWSP

  • 7.  RE: ClearPass - WLC host/user authentication

    Posted Nov 05, 2020 04:21 AM
    Hi Zak,

    so far I can see that some of the endpoints are displayed as "user" logged in.
    But unfortunately I am unable to find any reason why this one endpoint is displayed as "host" and other one as "user". 
    It seems to be very random distribution. The only what I can say is that appx 90% are displayed as "host"


    Tomas Backo