Security

 View Only
last person joined: 22 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Wired 802.1x service not working as expected

This thread has been viewed 40 times
  • 1.  Wired 802.1x service not working as expected

    Posted 28 days ago
    Hey Team!

    I am trying to deploy a solution of wired 802.1x with my aruba clearpass 6.9.7. I am not being able to cache the role assigned by the first machine authentication, when I am authenticating as user. I really need to keep the role linked with the endpoint at least until the user authentication.

    I have checked the checkbox "Use cached Roles and Posture attributes from previous sessions" , but it keeps not saving the role. I tried to extend the option behind cluster wide parameter "Policy result cache timeout" to 15 minutes without result.

    Does I have to do anything special in the role mapping side? How could I keep saved the role?

    Thanks!


    ------------------------------
    Unai Abrisqueta
    ------------------------------


  • 2.  RE: Wired 802.1x service not working as expected

    EMPLOYEE
    Posted 18 days ago
    Do you see [Machine Authenticated] as role after the computer authentication?

    You should not do anything to keep the [Machine Authenticated] role cached. In the subsequent user authentication you should see both [User Authenticated] and [Machine Authenticated] under the roles in Access Tracker.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Wired 802.1x service not working as expected

    Posted 14 days ago
    Hi herman,

    I see both roles cached, the problem is that I don't see my custom role being cached although the role is assigned to the endpoint in the machine authentication, which takes place first.

    ------------------------------
    Unai Abrisqueta
    ------------------------------



  • 4.  RE: Wired 802.1x service not working as expected

    Posted 14 days ago
    The roles assigned by the system such as Machine authenticated and user authenticated are cached, but I am not able to force the clearpass to cache my custom role. Is there any way to do it?

    ------------------------------
    Unai Abrisqueta
    ------------------------------



  • 5.  RE: Wired 802.1x service not working as expected

    EMPLOYEE
    Posted 3 days ago
    Caching of your own roles is achieved with the tickbox: "Use cached Roles and Posture attributes from previous sessions" that is in the Enforcement tab of your service.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Wired 802.1x service not working as expected

    Posted 16 days ago

    Either you have to deploy EAP-TEAP,

    or

    1. create a new Endpoint attribute to flag infinitely the MAC address who has passed [Machine authenticated] once

    2. assign the flag via enforcement profile
    3. use reauthentication / coa and use authorization:endpointrepository:flag=true



    ------------------------------

    ------------------------------



  • 7.  RE: Wired 802.1x service not working as expected

    Posted 14 days ago
    I guess that it should be a way to do it without creating a dumb attribute. It is strange to me seeing that CP is able to cache system generated roles and not the custom roles.

    ------------------------------
    Unai Abrisqueta
    ------------------------------