Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass machine auth cache

Jump to Best Answer
  • 1.  Clearpass machine auth cache

    Posted Feb 08, 2019 10:51 AM

    I see in the configuratiion of the server on the top right of the screen there is a clear machine authentication cache link. This is good for clearning either per node or system-wide (appears to be a system wide option in 6.7) but is there a way to clear a specific targeted machine auth vs the entire cache? Also can you view the machine auth cache DB to dteremine time left for systems? 



  • 2.  RE: Clearpass machine auth cache

    Posted Feb 08, 2019 10:55 AM
    No, there is not. You can, however, create your own machine auth cache rules using endpoint attributes.


  • 3.  RE: Clearpass machine auth cache

    Posted Feb 08, 2019 11:07 AM

    You cannot remove a single machine from the cache or you cannot view the entire cache to see when a system's cache time is up? Which one, or do you mean no to both? Thank you for the reply and the help! I just need some clarification. 

     

    Jeff 



  • 4.  RE: Clearpass machine auth cache

    Posted Feb 08, 2019 11:09 AM
    Neither are possible.


  • 5.  RE: Clearpass machine auth cache
    Best Answer

    Posted Feb 08, 2019 11:26 AM

    Okay thank you very much for the assistance with this. 



  • 6.  RE: Clearpass machine auth cache

    Posted Feb 11, 2019 03:32 PM

    One last question on the machine cache. Since we are using PEAP and MS-CHAP for the inner, does CPPM see the same system via the system name regardless of wired or wireless connection? Scenario, PC boots up on wired and does a successful machine auth. User logs in and CPPM checks to ensure the a previous machine auth occured which it will find in the cache. User is then allowed on (mach + user auth required). When the same user switches to wireless and the wireless authentciation happens, I assume that a machine auth will not be required since the wired auth occured and the system is still cached. I know the MAC's are different but system name is the same. My concern is when a user switches to wireless they are being allowed on, and no machine auth shows in access tracker and I am just curious how CPPM is tying the wireless attempt to the wired machine auth given no system name has been sent by the machine for the wireless connection. Do we have a configuratioon error in CPPM possibly? 



  • 7.  RE: Clearpass machine auth cache
    Best Answer

    Posted Feb 11, 2019 04:03 PM
    No, it’s per network interface. EAP-TLS should be used if you require a consistent identity.


  • 8.  RE: Clearpass machine auth cache

    Posted Feb 12, 2019 03:41 PM

    Thank you, we have switched to EAP-TLS as the machine auth method at this poitn and things are working much better. THank you for the advice. I did notice in the on teh clearpass server for the EAP-TLS authetication method that there are a couple options checked that I am unsure of. Session resumption and session timeout. I think I know what session resumption provides, and for that to work I would need the fast reconnect configured on the supplicant correct? 

    ANd I am not sure what the session timeout is all about. We have customized that down to 1 hour from 6, but that was done awhile ago and I have no idea why. Could you please advise what that setting is all about? I have drawn no info on the searches so far. Thank you for all the help! 

     

    Jeff 



  • 9.  RE: Clearpass machine auth cache

    Posted Feb 12, 2019 03:45 PM
    You can disable session resumption. It is not supported across a cluster.


  • 10.  RE: Clearpass machine auth cache

    Posted Feb 12, 2019 03:58 PM

    Really?  thank you for that. We are running 6.7.7, still hold true for that version? 



  • 11.  RE: Clearpass machine auth cache
    Best Answer

    Posted Feb 12, 2019 04:01 PM
    Yes


  • 12.  RE: Clearpass machine auth cache

    Posted Feb 12, 2019 04:04 PM

    Tim you're a rock star, thank you very much!! 

     

    Jeff