Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Mac Caching Error

  • 1.  Mac Caching Error

    Posted Jul 28, 2015 03:00 PM

    Hello Guys,

     

    Good day. Need some help here, I am trying to achieve the following:

    1/ Mac Authentication via Wired / Wireless (Open Authentication) - Working

    2/ Allow a mac authenticated devices to have access for 90 days - Having error

    *Note my testbed are set to 15 minutes for testing purpose

     

    Here is the screenshot of my Enforcement Rules:

    20150729-CPPM-Enforcement.png

     

    The error I am getting:

    20150729-CPPM-Insight-Error.png

     

    Once I removed the above Enforcement rules and add a simple [Authenticated Source = Vendor Authentication], everything seems to work perfectly normal.

     

    Need some help to get it working, at the moment cannot seems to figure out what is wrong :(

     

    Thanks in advance :)

     



  • 2.  RE: Mac Caching Error

    Posted Jul 28, 2015 05:55 PM
    Make sure you have the following enabled:
    - Insight in CPPM
    - Interim Accounting in CPPM
    - Accounting in the WLC and Switches


  • 3.  RE: Mac Caching Error

    Posted Jul 29, 2015 01:27 PM

    @victorfabian wrote:
    Make sure you have the following enabled:
    - Insight in CPPM
    - Interim Accounting in CPPM
    - Accounting in the WLC and Switches

    Hmm I have check that the following are enabled. But I am still getting the same error :(

     

    ClearPass:

    Interim Accounting is Enable (Service Parameters -> Log Accounting Interim-Update Packets = True)

    Insight is Enable

     

    WLC

    Interim Accounting is Enable

    Accounting Server Group are pointing to the right CPPM Server

     



  • 4.  RE: Mac Caching Error

    Posted Jul 30, 2015 04:13 AM

    Can you clarify whether you are doing any captive portal authentication prior to the MAC caching?

    If you are just doing MAC authentication then I am not sure you can check the 'minutes-since-auth' attribute as this is not updated for a MAC authentication.

     

    Can you post screenshots from the other tabs of your MAC auth service?



  • 5.  RE: Mac Caching Error

    Posted Jul 30, 2015 09:36 PM

    @dg27 wrote:

    Can you clarify whether you are doing any captive portal authentication prior to the MAC caching?

    If you are just doing MAC authentication then I am not sure you can check the 'minutes-since-auth' attribute as this is not updated for a MAC authentication.

     

    Can you post screenshots from the other tabs of your MAC auth service?


    Hmm I am not using Captive Portal Authentication for this case, just purely Mac Authentication.

     

    I see, now I have a rough understanding. Looking at the error it seems like the attribute are not captured from the end point side. Hence CPPM cannot pull the information out to check.

     

    So I have actually enable Captive Portal for this case, in order for for "minutes-since-auth" attribute to work?

     

    Thanks :)



  • 6.  RE: Mac Caching Error

    Posted Jul 31, 2015 04:23 AM

    The minutes-since-auth field is used to identify the last time a user logged on with their username and password so this would require a captive portal.

     

    What do you want to do with devices after the 90 days? Disconnect them? They would only reconnect again automatically unless you blacklisted them.

     

    You could enforce a session timeout using the Radius:IETF Session-Timeout attribute in an enforcement profile but this requires the NAS client to support the authentication server setting the reauthentication interval. Again this would only disconnect the client temporarily as it is likely to automatically reconnect unless something is preventing them from doing this.