Security

last person joined: 19 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Error message for Role Mapping Policy - CPPM

Jump to Best Answer
  • 1.  Error message for Role Mapping Policy - CPPM

    Posted Sep 04, 2013 12:58 AM

    Hi All,

     

    We have a following Client requirement 

     

    1. Authentication type is EAP-TLS.........working fine.

     

    2.For different  AD group of users we have enforce different VLAN depending on group name........not working.

     

    The issue we are faicng is when we created role mapping policy for different AD Groups i am getting following error messages.

     

    Kindly let me know how to resolve this issue.

     

     

     

    Request log details for session: R00000030-11-5225c73a
    Time 	Message
    2013-09-03 16:55:46,085 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 15:254:D4-3D-7E-12-A5-49
    2013-09-03 16:55:46,092 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-132 h=223 r=R00000030-11-5225c73a] INFO Core.ServiceReqHandler - Service classification result = Certificate_based_Test
    2013-09-03 16:55:46,093 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "Certificate_based_Test"
    2013-09-03 16:55:46,093 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_ldap: searching for user host/INGVYSAHOTEST.IN.intranet in AD:spininf00001.in.intranet
    2013-09-03 16:55:46,095 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_ldap: found user host/INGVYSAHOTEST.IN.intranet in AD:spininf00001.in.intranet
    2013-09-03 16:55:46,095 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_eap_tls: Initiate
    2013-09-03 16:55:46,096 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 15:76:D4-3D-7E-12-A5-49:0x00a40087002f00e73b010000d3e70a303a32a52dea8f6f95c95bd811
    2013-09-03 16:55:46,112 	[Th 32 Req 316 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Certificate_based_Test" - 16:386:D4-3D-7E-12-A5-49
    2013-09-03 16:55:46,113 	[Th 32 Req 316 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read finished A
    2013-09-03 16:55:46,113 	[Th 32 Req 316 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 16:225:D4-3D-7E-12-A5-49:0x00f70020002b00c73c010000520e47f9ab1f806777c5c9926f39fd6e
    2013-09-03 16:55:46,123 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Certificate_based_Test" - 17:318:D4-3D-7E-12-A5-49
    2013-09-03 16:55:46,123 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_eap_tls: Session established.
    2013-09-03 16:55:46,124 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
    2013-09-03 16:55:46,130 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr d43d7e12a549
    2013-09-03 16:55:46,130 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3354 entity id = 29
    2013-09-03 16:55:46,130 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3354
    2013-09-03 16:55:46,130 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3354|entityId=29
    2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3354|entity=Device
    2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
    2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
    2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
    2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
    2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 h=1235 c=R00000030-11-5225c73a] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
    2013-09-03 16:55:46,132 	[RequestHandler-1-0x7f2fad3e9700 h=1236 c=R00000030-11-5225c73a] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
    2013-09-03 16:55:46,132 	[AuthReqThreadPool-26-0x7f307adf6700 r=R00000030-11-5225c73a h=67] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf
    2013-09-03 16:55:46,133 	[AuthReqThreadPool-26-0x7f307adf6700 r=R00000030-11-5225c73a h=67] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})
    2013-09-03 16:55:46,133 	[AuthReqThreadPool-26-0x7f307adf6700 r=R00000030-11-5225c73a h=67] WARN Ldap.LdapQuery - Failed to get value for attributes=Groups]
    2013-09-03 16:55:46,133 	[RequestHandler-1-0x7f2fad3e9700 h=1237 c=R00000030-11-5225c73a] INFO Core.PETaskRoleMapping - Roles: Guest], Machine Authenticated]
    2013-09-03 16:55:46,135 	[RequestHandler-1-0x7f2fad3e9700 h=1240 c=R00000030-11-5225c73a] INFO Core.PETaskEnforcement - EnfProfiles: Cert_based_NAC_infrastructure
    2013-09-03 16:55:46,135 	[RequestHandler-1-0x7f2fad3e9700 h=1245 c=R00000030-11-5225c73a] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
    2013-09-03 16:55:46,136 	[RequestHandler-1-0x7f2fad3e9700 h=1241 c=R00000030-11-5225c73a] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
    2013-09-03 16:55:46,136 	[RequestHandler-1-0x7f2fad3e9700 h=1241 c=R00000030-11-5225c73a] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Cert_based_NAC_infrastructure
    2013-09-03 16:55:46,136 	[RequestHandler-1-0x7f2fad3e9700 h=1241 c=R00000030-11-5225c73a] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 10800
    2013-09-03 16:55:46,137 	[RequestHandler-1-0x7f2fad3e9700 h=1246 c=R00000030-11-5225c73a] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
    2013-09-03 16:55:46,137 	[RequestHandler-1-0x7f2fad3e9700 r=R00000030-11-5225c73a h=1244 c=R00000030-11-5225c73a] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
    2013-09-03 16:55:46,138 	[RequestHandler-1-0x7f2fad3e9700 r=R00000030-11-5225c73a h=1242 c=R00000030-11-5225c73a] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device
    2013-09-03 16:55:46,142 	[RequestHandler-1-0x7f2fad3e9700 h=1248 c=R00000030-11-5225c73a] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
    2013-09-03 16:55:46,142 	[RequestHandler-1-0x7f2fad3e9700 h=1248 c=R00000030-11-5225c73a] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2013-09-03 16:55:46,143 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
    2013-09-03 16:55:46,143 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_policy: Added Class attribute with value Class = 0xe01eeb5fba974171b4bba595e0ae50d1d80b0000000000005230303030303033302d31312d35323235633733610000000000000000000000
    2013-09-03 16:55:46,143 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
    2013-09-03 16:55:46,143 	[RequestHandler-1-0x7f2fad3e9700 h=1247 c=R00000030-11-5225c73a] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2013-09-03 16:55:46,143 	[RequestHandler-1-0x7f2fad3e9700 r=R00000030-11-5225c73a h=1235 c=R00000030-11-5225c73a] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

     

     


    #AP225


  • 2.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 04, 2013 01:02 AM
    Can paste some screen shots of your services.


  • 3.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 04, 2013 01:22 AM

    Here is a same of a basic enforcement based and MemberOF in AD. Just make sure you add the AD as an Authorization source.

     

    screenshot_10 Sep. 04 00.14.gif

     

    screenshot_08 Sep. 04 00.13.gif

     

    screenshot_09 Sep. 04 00.13.gif



  • 4.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 04, 2013 01:38 AM

    I could not able to attach the created service here please let me know how to attach it.



  • 5.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 04, 2013 01:41 AM

    Just click the button in the bottom left coroner to add attachment.

     

    screenshot_01 Sep. 04 00.34.gif



  • 6.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 04, 2013 01:50 AM

    Hi,

     

    Please find the attached screen shot.

     

     



  • 7.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 04, 2013 02:02 AM

    Service looks OK.

    What does it show in access tracker? What error is it showing in the alerts tab.

    You can also use the policy simulation to test with.



  • 8.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 04, 2013 02:06 AM

    screenshot_03 Sep. 04 00.59.gif

     

    screenshot_04 Sep. 04 00.59.gif



  • 9.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 04, 2013 02:43 AM

    HI ,

     

    I have observed that in authorization part you have added Local user SQL DB.

     

    so whatever the roles i have created locally on CPPM where it will be stored whether i have to add any local user DB also in authorization TAB.

     

     



  • 10.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 04, 2013 02:47 AM
    I have local DB because I also test with local users with role mapping. If you not using local users then you don't need to add it.


  • 11.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 04, 2013 08:26 AM

    I have run into this same error.   Basicallly you are not able to read the memberOf attributes of the logged on user.  If you look at the "Computed Attributes" within Access Tracker, under the Input tab and under the Authorization Attributes; you'll likely not see any "memberOf" attributes; only UserDN.

     

    I've seen this at a couple of customers.  One instance, the user was not a member of any groups aside from Domain Users (does not show as memberOf when set as primary group; this is normal).   The other instance we resolved it by elevating the permissions of the Bind account.

     

    We verified this using an LDAP Browser using the Bind account; it it could not see those attributes despite having permission to.   Elevating permissions was OK with that customer, so we did not contact support to see if it was a known issue.



  • 12.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 08, 2013 11:39 AM
      |   view attached

    Hi Clembo,

     

    Yes we are getting only User DN attribute when we look on access tarcker authorization part.

     

    I have attached the attribute what we are getting in authorization part.

     

    So can you explain be briefly what we have to do for resolving this issue. I am little bit weak in AD so can u give me any document or any screen shot for how to give the permissions for BIND ACCount.

     

    Regards,

    Nithin Kumar C V



  • 13.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 08, 2013 08:00 PM

    Just to to test/confirm.


    Check what account is used as the Bind account under the AD Authentication Source.  Check what permissions that account has in AD.  Then, add it to a higher priveleged group; Domain Admins for example.  ****This is usually not necessary; just want to see if it helps with you reading all the needed attributes.   Make sure the group change has replicated to the DC you are using for your authentication against in your AD authentication source.

     

    Are the results any different?



  • 14.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 10, 2013 04:14 AM

    Hi All,

     

    In my case whats happening is the domain machine is authenticating and in AD all the domain machine are in single OU so its not differenticating the user.

     

    we think for this we need user authentication to happen so that we can diffrentiate the users and to get there desired VLAN so we need clarification how to do user authentication on EAP-TLS.

     

    machine and user authentication for EAP-TLS or only User authentication for EAP-TLS

     

     

    As per the end user they have issued the certificate for each user also.

     

    Regards,

    Nithin Kumar C V



  • 15.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 11, 2013 03:13 AM

    :(



  • 16.  RE: Error message for Role Mapping Policy - CPPM
    Best Answer

    Posted Sep 13, 2013 09:39 AM

    You could still accomplish this by putting the computers in groups and use your mappings based on that vs. OU placement.  

     

    If you want to use user and computer EAP-TLS this is possible.   The configuration is really on the client side.  Windows has a setting that says whether to user User Authentication, Computer Authentication, or User or Computer Authentication.    This setting is under the Advanced Settings button of the wireless configuration.

     

    • If User Authentication - Device only will get on wireless network when the user logs in using the user's credentials/certificate
    • If Computer Authentication - Device will use computer credentials/certifiate pre user logon and post user logon
    • If User or Computer Authenticaton - Device will connect to the wireless network using the computer's credentials/certificate when no user is logged in.  When a user logs in, Windows will reauthenticate the device with the user credetials/certificate

    If you want to use EAP-TLS and ClearPass to not only authenticate the users, but to also authorize them based upon groups or other attributes, you may need to turn on Certificate Comparison in the EAP-TLS Authentication Method you are using for your service; if you haven't already (I usually create a new EAP-TLS method for my customers with this).

     

    cp-tls-compare.jpg

     



  • 17.  RE: Error message for Role Mapping Policy - CPPM

    Posted Sep 16, 2013 04:52 AM

    Thanks a lot for your support and guide lines.

     

    :)