(Not really a security related question but it's one of the few groups that actually include Clearpass and Clearpass related questions.... Where should general Clearpass questions go?)
Can someone please explain how Monitor Mode is supposed to work when creating a new Clearpass Servcie?
Optionally check the Enable to monitor network access without enforcement to allow authentication and health validation exchanges to take place between endpoint and Policy Manager, but without enforcement.
In Monitor Mode, no enforcement profiles (and associated attributes) are sent to the network device.
Since the Services are top - down similar to a firewall. If a service is put in place, in monitor mode, does it not flow through to the next service? Because it does not appear to do so.
I put a new service into Monitor mode and enabled it expecting it to hit that service, log it (to be able to check on via Access Tracker), but pass through to the next Service which is the current, working service. It did not work this way.
It seems that it hit my test service, logged it, and stopped, never passing through to the next Service. It ended up causing access failures for many people since the next Service was never hit/reached.
Is this expected behavior? It was NOT what I was expecting. (What is the point of Monitor Mode if it breaks things?)
Thanks for the quick answer...
But I guess I'm being short sighted then. So when and why would you use Monitor Mode? I'm missing how it should be used. What circumstances does it work for?
And it would be nice if this type feature existed. Put a Service in place but have it pass through while still logging. You could then test out a Service... rather easily.
Sorry to revive this, but am bumping into the same thing -
So for us, we're doing wired 802.1X and MAC-based authentication with ClearPass. If I setup a test MAC-based authentication service in monitor mode, it'll send back an access accept. The problem is, we have multiple different VLANs for different device types, so I'm guessing that we can't use monitor mode, since we can't send back the VLAN name in the RADIUS response. Is this correct?
Monitor mode is used mostly during initial testing, when enabled CPPM only sends access accept to NAS devcies it wont send any enforcement profile configured in service. In your case, if you want to test individual VLANs proifle then instead of enabling montior mode use policy simulation tool to test whether service which you have configured is working fine?
Should a Service in Monitor mode, result in an Access Tracker entry when hit by an access request ?
Setting up Wired 802.1X authentication Service with a 2930F switch and I do see in debug on the switch
m8021xCtrl:Port 2: sent Success #2 to fc3fdb-375fe9 ...
but Access Tracker does not show any activity
Did switch IP is added in Configuration » Network » Devices ? If not try added and check.
Policy simulation trigger access tracker entry,not tried montior mode.
Ignore my question on missing Access Tracker entries for a service in Monitor Mode --> I forgot to 'aaa port-access authenticator active' on the switch.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.