last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Service Monitor Mode

This thread has been viewed 29 times
  • 1.  Clearpass Service Monitor Mode

    Posted Sep 14, 2018 09:53 AM

    (Not really a security related question but it's one of the few groups that actually include Clearpass and Clearpass related questions....  Where should general Clearpass questions go?)


    Can someone please explain how Monitor Mode is supposed to work when creating a new Clearpass Servcie?


    Docs say: 


    Optionally check the Enable to monitor network access without enforcement to allow authentication and health validation exchanges to take place between endpoint and Policy Manager, but without enforcement.

    In Monitor Mode, no enforcement profiles (and associated attributes) are sent to the network device.



    Since the Services are top - down similar to a firewall. If a service is put in place, in monitor mode, does it not flow through to the next service? Because it does not appear to do so.


    I put a new service into Monitor mode and enabled it expecting it to hit that service, log it (to be able to check on via Access Tracker), but pass through to the next Service which is the current, working service. It did not work this way.


    It seems that it hit my test service, logged it, and stopped, never passing through to the next Service. It ended up causing access failures for many people since the next Service was never hit/reached.


    Is this expected behavior? It was NOT what I was expecting. (What is the point of Monitor Mode if it breaks things?)

  • 2.  RE: Clearpass Service Monitor Mode
    Best Answer

    Posted Sep 14, 2018 09:57 AM
    If the request matches the service, it will use that service and not continue to other services. This is not unique to monitor mode and is how the product works. Monitor mode simply means that instead of returning back full policy, only an access accept is sent.

  • 3.  RE: Clearpass Service Monitor Mode

    Posted Sep 14, 2018 10:19 AM

    Thanks for the quick answer...


    But I guess I'm being short sighted then. So when and why would you use Monitor Mode?  I'm missing how it should be used. What circumstances does it work for?


    And it would be nice if this type feature existed. Put a Service in place but have it pass through while still logging. You could then test out a Service... rather easily.

  • 4.  RE: Clearpass Service Monitor Mode

    Posted Sep 14, 2018 10:26 AM
    It’s for when you’re not ready to deploy policy, but want to see requests in real time to assist you in building policy without effecting end users.

  • 5.  RE: Clearpass Service Monitor Mode

    Posted Feb 15, 2019 09:31 AM

    Sorry to revive this, but am bumping into the same thing - 


    So for us, we're doing wired 802.1X and MAC-based authentication with ClearPass. If I setup a test MAC-based authentication service in monitor mode, it'll send back an access accept. The problem is, we have multiple different VLANs for different device types, so I'm guessing that we can't use monitor mode, since we can't send back the VLAN name in the RADIUS response. Is this correct?



  • 6.  RE: Clearpass Service Monitor Mode

    Posted Feb 15, 2019 09:50 AM

    communitry.PNGMonitor mode is used mostly during initial testing, when enabled CPPM only sends access accept to NAS devcies it wont send any enforcement profile configured in service. In your case, if you want to test individual VLANs proifle then instead of enabling montior mode use policy simulation tool to test whether service which you have configured is working fine?



  • 7.  RE: Clearpass Service Monitor Mode

    Posted Jan 03, 2020 08:32 AM

    Should a Service in Monitor mode, result in an Access Tracker entry when hit by an access request ?


    Setting up Wired 802.1X authentication Service with a 2930F switch and I do see in debug on the switch 


    m8021xCtrl:Port 2: sent Success #2 to fc3fdb-375fe9 ...


    but Access Tracker does not show any activity 

  • 8.  RE: Clearpass Service Monitor Mode

    Posted Jan 03, 2020 09:21 AM

    Did switch IP is added in Configuration » Network » Devices ?  If not try added and check.


    Policy simulation trigger access tracker entry,not tried montior mode.

  • 9.  RE: Clearpass Service Monitor Mode

    Posted Jan 03, 2020 09:22 AM

    Ignore my question on missing Access Tracker entries for a service in Monitor Mode --> I forgot to 'aaa port-access authenticator active' on the switch.