Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

No Enforcement Profile given in ClearPass

  • 1.  No Enforcement Profile given in ClearPass

    Posted May 06, 2016 03:35 PM

    We are in the beginning of a ClearPass rollout, with HP 3800's as our access layer. We have a MAC list for phones, and those are working via mac-based auth. Right now there is a pilot of one port - mine - using ClearPass. My laptop is plugged into the back of the phone, and although I get online and placed in the correct vlan, there is no actual enforcement profile given in the Access Tracker. I am also seeing this in the logs:

     

    2016-05-06 13:37:26,721[RequestHandler-1-0x7fddcf5fa700 h=5059398 c=R00025174-01-572ce466] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
    2016-05-06 13:37:26,722[RequestHandler-1-0x7fddcf5fa700 r=R00025174-01-572ce466 h=5059397 c=R00025174-01-572ce466] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
    2016-05-06 13:37:26,722[AuthReqThreadPool-10-0x7fde4cf44700 r=R00025174-01-572ce466 h=42] ERROR ExtDB.DBQuery - ResultSet is empty
    2016-05-06 13:37:26,722[AuthReqThreadPool-10-0x7fde4cf44700 r=R00025174-01-572ce466 h=42] ERROR ExtDB.DBQuery - Failed to get value for attributes=Owner]

    Any ideas what might be going on there? the only thing I could find on this site was to verify that the Insight Repository was an authorization source in the service, and it is.

     

    TIA,

     

    Russell



  • 2.  RE: No Enforcement Profile given in ClearPass

    Posted May 06, 2016 03:37 PM
    Can you post a screenshot of the expanded output tab? 


  • 3.  RE: No Enforcement Profile given in ClearPass

    Posted May 06, 2016 03:42 PM
      |   view attached

    Sure thing. Just in case, here is also the relevant HP switch portion of the config:

     

    aaa accounting exec start-stop radius
    aaa accounting network start-stop radius
    aaa accounting system start-stop radius
    aaa authentication login privilege-mode
    aaa authentication console login tacacs local
    aaa authentication console enable tacacs local
    aaa authentication ssh login tacacs local
    aaa authentication ssh enable tacacs local
    aaa authentication port-access eap-radius
    aaa port-access gvrp-vlans
    aaa port-access authenticator 1/9
    aaa port-access authenticator 1/9 quiet-period 5
    aaa port-access authenticator 1/9 logoff-period 862400
    aaa port-access authenticator 1/9 client-limit 5
    aaa port-access authenticator active
    aaa port-access mac-based 1/9
    aaa port-access mac-based 1/9 addr-limit 5
    aaa port-access mac-based 1/9 logoff-period 862400
    aaa port-access mac-based 1/9 quiet-period 30
    aaa port-access mac-based addr-format single-dash
    aaa port-access 1/9 mixed

     

    Thanks



  • 4.  RE: No Enforcement Profile given in ClearPass

    Posted May 06, 2016 03:47 PM
    That looks like the web auth service handling the health check. You should also have a separate MAC auth servic. 


  • 5.  RE: No Enforcement Profile given in ClearPass

    Posted May 06, 2016 03:57 PM
      |   view attached

    it fails mac auth because only the phones are supposed to mac auth, but here it is failing the mac auth.



  • 6.  RE: No Enforcement Profile given in ClearPass

    Posted May 06, 2016 04:07 PM

    Sorry, I'm not following. So the phone is being MAC authenticated and the laptop is doing 802.1X?



  • 7.  RE: No Enforcement Profile given in ClearPass

    Posted May 06, 2016 04:47 PM

    That is correct



  • 8.  RE: No Enforcement Profile given in ClearPass

    Posted May 06, 2016 04:52 PM
    What does the expanded output tab of the 802.1X request look like?


  • 9.  RE: No Enforcement Profile given in ClearPass

    Posted May 06, 2016 05:00 PM

    That was the first picture I attached.

     



  • 10.  RE: No Enforcement Profile given in ClearPass

    Posted May 06, 2016 05:24 PM
    Please export the 802.1X access tracker request and post.


  • 11.  RE: No Enforcement Profile given in ClearPass

    Posted May 09, 2016 09:50 AM
      |   view attached

    Attached

    Attachment(s)

    zip
    DashboardDetails (1).zip   19 K 1 version


  • 12.  RE: No Enforcement Profile given in ClearPass

    Posted May 09, 2016 02:27 PM

    It appears that the problem stems from the fact that there is no Endpoint information in the input profile of the device. Annoying to me is that I have an instance of CPPM running in QA, configured the same, same version, HP 3800 in QA, same config (CPPM-wise, but pointing at the prod CPPM), and the QA CPPM is getting the Endpoint info that the production CPPM isn't. They are using different radius keys and SNMP strings in QA and prod. Are there any special characters that aren't allowed by CPPM? Or, they are accepted, but cause problems?