I deployed CPPM solution for 802.1X and MAB auth. Everything works but I have one issue - CPPM doesn't responding for requests with bad Password/non-known MAC.
My service & Policies configuration:
Authentication Method Allow All MAC AUTHAuthentication Source Endpoint RepositoryEnforcement Type RADIUSEnforcement Policy (Authentication:MacAuth EQUALS KnownClient) => Enforcement Profile Allow Access ProfileDefault Profile Deny Access Profile
1) Above service 'TEST MAC' is configured and my Radius MAC-Auth request matches to that SERVICE Rule which I see in syslog from CPPM and Access-Tracker:
Syslog returns: Service classification result = TEST MAC
Access-Tracker returns: Output
Enforcement Profiles: [Deny Access Profile] System Posture Status: UNKNOWN (100) Audit Posture Status: UNKNOWN (100)
Error Code: 206 Error Category: Authentication failure Error Message: Access denied by policy
Alerts for this Request RADIUS [Endpoints Repository] - localhost: User not found. Applied 'Reject' profile
2) Request doesn't match Enforcement Policy, as MAC is not-Known then Enforcement Profile Deny Access Profile is used
And my Radius client doesn't receive any response. Just Radius timeout. I adjusted timeout to even 30 seconds , but no resonse at all. Tested same scenario with FreeRadius which responding Access-Reject to not known user/MAC and I'm expecting same behevior from CPPM. What I should change to archive this ?
I'm using ClearPass Policy Manager 18.104.22.168974
Just want to add that earlier I used below radius-server settings on client/network devices requesting auth with CPPM:
radius-server retransmit 1radius-server timeout 10
And 10 seconds was to small out of time to wait for CPPM/Radius response. I increased timeout to two minutes (120 seconds) and got ACCEPT-REJECT respone finally but AFTER 31 seconds of waiting!
Can I adjust these timeouts somewhere within CPPM or tell CPPM to respond more quickly ?
I was digging and found source of problem. There is variable 'Reject Packet Delay' (in Security section) of Administration » Server Manager » Server Configuration - CPPM -> Service Parameters -> Radius ServerDefault value of this variable is '1' second. If I set here 0 seconds then CPPM Radius sends ACCESS-REJECT asap. If it's set to >0 then CPPM repies after 'Maximum Request Time' + 'Reject Packet Delay' seconds which means 30 + 1 = 31 seconds. But why is takeing care of 'Maximum Request Time' ? Is it bug or expected behavior ?Rob
Thank you so much for posting your follow-ups! This was driving me crazy, and if it hadn't been for your post, I very probably would have lost my mind.
I actually logged into this site for the first time just to give kudos to this post, your replies, and to post here to say THANK YOU!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.