Security

I use MAC auth. but it takes 5-6 minutes from when I have marked devices as "known" until they come online.
the device comes in Clearpass 5 times as "Reject" before it comes in as "Known" is there a place to change it? so I don't have to wait so long?

Not sure what your configuration is. Devices in the Endpoint Repository don't become known automatically. There need to be something that marks them as known, can be a manual action, could be API call or could be some service that triggers an Endpoint Entity Update to mark the endpoint as Known.

Also, in most cases you probably want to use the Allow All MACAuth, which authenticates clients regardless of their 'Known' status. Then in the role mapping or policy you can decide what to do with them, like allow limited access to profile them. It may be good to go through your configuration with the people who implemented it, or reach out to your partner that knows ClearPass.

I use MAC auth. but it takes 5-6 minutes from when I have marked devices as "known" until they come online.
the device comes in Clearpass 5 times as "Reject" before it comes in as "Known" is there a place to change it? so I don't have to wait so long?

I mark them manually as "Known" and make sure they have a correct "End Host Profile" so they come in the correct Vlan.

then it takes 5-6 minutes for it to become "Accept"

Not sure what your configuration is. Devices in the Endpoint Repository don't become known automatically. There need to be something that marks them as known, can be a manual action, could be API call or could be some service that triggers an Endpoint Entity Update to mark the endpoint as Known.

Also, in most cases you probably want to use the Allow All MACAuth, which authenticates clients regardless of their 'Known' status. Then in the role mapping or policy you can decide what to do with them, like allow limited access to profile them. It may be good to go through your configuration with the people who implemented it, or reach out to your partner that knows ClearPass.

I use MAC auth. but it takes 5-6 minutes from when I have marked devices as "known" until they come online.
the device comes in Clearpass 5 times as "Reject" before it comes in as "Known" is there a place to change it? so I don't have to wait so long?

That time period is going to be partially dependent on the NAD and how often it attempts to authenticate the client session.

What is the "Cache Timeout" set to on your [Endpoints Repository] auth source?

I mark them manually as "Known" and make sure they have a correct "End Host Profile" so they come in the correct Vlan.

then it takes 5-6 minutes for it to become "Accept"

Not sure what your configuration is. Devices in the Endpoint Repository don't become known automatically. There need to be something that marks them as known, can be a manual action, could be API call or could be some service that triggers an Endpoint Entity Update to mark the endpoint as Known.

Also, in most cases you probably want to use the Allow All MACAuth, which authenticates clients regardless of their 'Known' status. Then in the role mapping or policy you can decide what to do with them, like allow limited access to profile them. It may be good to go through your configuration with the people who implemented it, or reach out to your partner that knows ClearPass.

I use MAC auth. but it takes 5-6 minutes from when I have marked devices as "known" until they come online.
the device comes in Clearpass 5 times as "Reject" before it comes in as "Known" is there a place to change it? so I don't have to wait so long?

Where can I see the Cache time?
I did not set up Clearpass myself, but took it over from someone else.
I have a time on my Switches, is that it?
radius-server host 10.10.xx.xx time-window 30

I am learning and relatively new to Clearpass

That time period is going to be partially dependent on the NAD and how often it attempts to authenticate the client session.

What is the "Cache Timeout" set to on your [Endpoints Repository] auth source?

I mark them manually as "Known" and make sure they have a correct "End Host Profile" so they come in the correct Vlan.

then it takes 5-6 minutes for it to become "Accept"

Not sure what your configuration is. Devices in the Endpoint Repository don't become known automatically. There need to be something that marks them as known, can be a manual action, could be API call or could be some service that triggers an Endpoint Entity Update to mark the endpoint as Known.

Also, in most cases you probably want to use the Allow All MACAuth, which authenticates clients regardless of their 'Known' status. Then in the role mapping or policy you can decide what to do with them, like allow limited access to profile them. It may be good to go through your configuration with the people who implemented it, or reach out to your partner that knows ClearPass.

I use MAC auth. but it takes 5-6 minutes from when I have marked devices as "known" until they come online.
the device comes in Clearpass 5 times as "Reject" before it comes in as "Known" is there a place to change it? so I don't have to wait so long?

Hi

The cache timeout value mentioned by @chulcher is found under Configuration \ Sources \ [Endpoints Repository] in the General tab.

Where can I see the Cache time?
I did not set up Clearpass myself, but took it over from someone else.
I have a time on my Switches, is that it?
radius-server host 10.10.xx.xx time-window 30

I am learning and relatively new to Clearpass

That time period is going to be partially dependent on the NAD and how often it attempts to authenticate the client session.

What is the "Cache Timeout" set to on your [Endpoints Repository] auth source?

I mark them manually as "Known" and make sure they have a correct "End Host Profile" so they come in the correct Vlan.

then it takes 5-6 minutes for it to become "Accept"

Not sure what your configuration is. Devices in the Endpoint Repository don't become known automatically. There need to be something that marks them as known, can be a manual action, could be API call or could be some service that triggers an Endpoint Entity Update to mark the endpoint as Known.

Also, in most cases you probably want to use the Allow All MACAuth, which authenticates clients regardless of their 'Known' status. Then in the role mapping or policy you can decide what to do with them, like allow limited access to profile them. It may be good to go through your configuration with the people who implemented it, or reach out to your partner that knows ClearPass.

I use MAC auth. but it takes 5-6 minutes from when I have marked devices as "known" until they come online.
the device comes in Clearpass 5 times as "Reject" before it comes in as "Known" is there a place to change it? so I don't have to wait so long?

Hi.

Thanks for the help, I can see it's set to 300 seconds, and that's why new endpoints only come on after that time, but if I set it down, I guess I get a lot more requests to the server/database

It was mostly because I thought it was a long time to wait when I got new endpoints on, I'm moving a lot of devices and approving them manually.

Thanks for the help.

Best regards Martin

Hi

The cache timeout value mentioned by @chulcher is found under Configuration \ Sources \ [Endpoints Repository] in the General tab.

Where can I see the Cache time?
I did not set up Clearpass myself, but took it over from someone else.
I have a time on my Switches, is that it?
radius-server host 10.10.xx.xx time-window 30

I am learning and relatively new to Clearpass

That time period is going to be partially dependent on the NAD and how often it attempts to authenticate the client session.

What is the "Cache Timeout" set to on your [Endpoints Repository] auth source?

I mark them manually as "Known" and make sure they have a correct "End Host Profile" so they come in the correct Vlan.

then it takes 5-6 minutes for it to become "Accept"

Not sure what your configuration is. Devices in the Endpoint Repository don't become known automatically. There need to be something that marks them as known, can be a manual action, could be API call or could be some service that triggers an Endpoint Entity Update to mark the endpoint as Known.

Also, in most cases you probably want to use the Allow All MACAuth, which authenticates clients regardless of their 'Known' status. Then in the role mapping or policy you can decide what to do with them, like allow limited access to profile them. It may be good to go through your configuration with the people who implemented it, or reach out to your partner that knows ClearPass.

I use MAC auth. but it takes 5-6 minutes from when I have marked devices as "known" until they come online.
the device comes in Clearpass 5 times as "Reject" before it comes in as "Known" is there a place to change it? so I don't have to wait so long?

Depending on your environment disable the cache by setting the value to 0 will not have an performance impact. Maybe if you have a really large environment and the load on the servers are close the the designed maximum.

But in most cases the Endpoints repository database will load into memory and thus the access to the database will be quick. At least that's the information I have got from TAC. I usually have the cache for the Endpoints repository disabled on my customers.

Hi.

Thanks for the help, I can see it's set to 300 seconds, and that's why new endpoints only come on after that time, but if I set it down, I guess I get a lot more requests to the server/database

It was mostly because I thought it was a long time to wait when I got new endpoints on, I'm moving a lot of devices and approving them manually.

Thanks for the help.

Best regards Martin

Hi

The cache timeout value mentioned by @chulcher is found under Configuration \ Sources \ [Endpoints Repository] in the General tab.

Where can I see the Cache time?
I did not set up Clearpass myself, but took it over from someone else.
I have a time on my Switches, is that it?
radius-server host 10.10.xx.xx time-window 30

I am learning and relatively new to Clearpass

That time period is going to be partially dependent on the NAD and how often it attempts to authenticate the client session.

What is the "Cache Timeout" set to on your [Endpoints Repository] auth source?

I mark them manually as "Known" and make sure they have a correct "End Host Profile" so they come in the correct Vlan.

then it takes 5-6 minutes for it to become "Accept"

Not sure what your configuration is. Devices in the Endpoint Repository don't become known automatically. There need to be something that marks them as known, can be a manual action, could be API call or could be some service that triggers an Endpoint Entity Update to mark the endpoint as Known.

Also, in most cases you probably want to use the Allow All MACAuth, which authenticates clients regardless of their 'Known' status. Then in the role mapping or policy you can decide what to do with them, like allow limited access to profile them. It may be good to go through your configuration with the people who implemented it, or reach out to your partner that knows ClearPass.

I use MAC auth. but it takes 5-6 minutes from when I have marked devices as "known" until they come online.
the device comes in Clearpass 5 times as "Reject" before it comes in as "Known" is there a place to change it? so I don't have to wait so long?

Thanks for the reply, I'll try that and see how it goes, I have about 4000 endpoints, I'm going on holiday today, so I think I'll wait until I'm back at work, I'll report back when it's tried.

Best Regards

Martin

Depending on your environment disable the cache by setting the value to 0 will not have an performance impact. Maybe if you have a really large environment and the load on the servers are close the the designed maximum.

But in most cases the Endpoints repository database will load into memory and thus the access to the database will be quick. At least that's the information I have got from TAC. I usually have the cache for the Endpoints repository disabled on my customers.

Hi.

Thanks for the help, I can see it's set to 300 seconds, and that's why new endpoints only come on after that time, but if I set it down, I guess I get a lot more requests to the server/database

It was mostly because I thought it was a long time to wait when I got new endpoints on, I'm moving a lot of devices and approving them manually.

Thanks for the help.

Best regards Martin

Hi

The cache timeout value mentioned by @chulcher is found under Configuration \ Sources \ [Endpoints Repository] in the General tab.

Where can I see the Cache time?
I did not set up Clearpass myself, but took it over from someone else.
I have a time on my Switches, is that it?
radius-server host 10.10.xx.xx time-window 30

I am learning and relatively new to Clearpass

That time period is going to be partially dependent on the NAD and how often it attempts to authenticate the client session.

What is the "Cache Timeout" set to on your [Endpoints Repository] auth source?

I mark them manually as "Known" and make sure they have a correct "End Host Profile" so they come in the correct Vlan.

then it takes 5-6 minutes for it to become "Accept"

Not sure what your configuration is. Devices in the Endpoint Repository don't become known automatically. There need to be something that marks them as known, can be a manual action, could be API call or could be some service that triggers an Endpoint Entity Update to mark the endpoint as Known.

Also, in most cases you probably want to use the Allow All MACAuth, which authenticates clients regardless of their 'Known' status. Then in the role mapping or policy you can decide what to do with them, like allow limited access to profile them. It may be good to go through your configuration with the people who implemented it, or reach out to your partner that knows ClearPass.

I use MAC auth. but it takes 5-6 minutes from when I have marked devices as "known" until they come online.
the device comes in Clearpass 5 times as "Reject" before it comes in as "Known" is there a place to change it? so I don't have to wait so long?