Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Wired 802.1x service not working as expected

This thread has been viewed 42 times
  • 1.  Wired 802.1x service not working as expected

    Posted Apr 25, 2022 10:47 AM
    Hey Team!

    I am trying to deploy a solution of wired 802.1x with my aruba clearpass 6.9.7. I am not being able to cache the role assigned by the first machine authentication, when I am authenticating as user. I really need to keep the role linked with the endpoint at least until the user authentication.

    I have checked the checkbox "Use cached Roles and Posture attributes from previous sessions" , but it keeps not saving the role. I tried to extend the option behind cluster wide parameter "Policy result cache timeout" to 15 minutes without result.

    Does I have to do anything special in the role mapping side? How could I keep saved the role?

    Thanks!


    ------------------------------
    Unai Abrisqueta
    ------------------------------


  • 2.  RE: Wired 802.1x service not working as expected

    EMPLOYEE
    Posted May 05, 2022 09:38 AM
    Do you see [Machine Authenticated] as role after the computer authentication?

    You should not do anything to keep the [Machine Authenticated] role cached. In the subsequent user authentication you should see both [User Authenticated] and [Machine Authenticated] under the roles in Access Tracker.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Wired 802.1x service not working as expected

    Posted May 09, 2022 04:50 AM
    Hi herman,

    I see both roles cached, the problem is that I don't see my custom role being cached although the role is assigned to the endpoint in the machine authentication, which takes place first.

    ------------------------------
    Unai Abrisqueta
    ------------------------------



  • 4.  RE: Wired 802.1x service not working as expected

    Posted May 09, 2022 04:52 AM
    The roles assigned by the system such as Machine authenticated and user authenticated are cached, but I am not able to force the clearpass to cache my custom role. Is there any way to do it?

    ------------------------------
    Unai Abrisqueta
    ------------------------------



  • 5.  RE: Wired 802.1x service not working as expected

    EMPLOYEE
    Posted May 20, 2022 09:51 AM
    Caching of your own roles is achieved with the tickbox: "Use cached Roles and Posture attributes from previous sessions" that is in the Enforcement tab of your service.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Wired 802.1x service not working as expected

    Posted May 06, 2022 11:11 PM

    Either you have to deploy EAP-TEAP,

    or

    1. create a new Endpoint attribute to flag infinitely the MAC address who has passed [Machine authenticated] once

    2. assign the flag via enforcement profile
    3. use reauthentication / coa and use authorization:endpointrepository:flag=true



    ------------------------------

    ------------------------------



  • 7.  RE: Wired 802.1x service not working as expected

    Posted May 09, 2022 04:57 AM
    I guess that it should be a way to do it without creating a dumb attribute. It is strange to me seeing that CP is able to cache system generated roles and not the custom roles.

    ------------------------------
    Unai Abrisqueta
    ------------------------------