Security

 View Only
  • 1.  Guest MAC Caching - Dynamically removing endpoints from repository

    Posted Dec 19, 2017 11:38 AM
      |   view attached

    Hi there,

     

    We have a Guest solution, that has mainly been implemented by a 3rd party, that I'm looking to make a couple of minor adjustments too. I dont have a huge amount of Clearpass experience, so I'm trying to piece everything together to understand the current setup.

     

    Our Guests are actually internal employees, who connect to the Guest SSID provided, and are subsequently presented with a splash page for authentication. They'll utilise their internal AD credentials in order to verify themselves and subsequently connect. The original design specified that after 30 days, their MAC entry in the endpoint repository would expire and they would be prompted to re-authenticate, this currently isn't happening - once a mac entry is in the repository it is not being removed and they're not being prompted to re-connect. I've had a look in to the service configured in Clearpass, and it appears to be utilising an attribute in a profile as seen in the attachment

     

    Given that we're not being prompted to re-auth, is there a better way for me to configure this that will actually work?

     

    Secondly, something else we'd like to build in, having some sort of background check to verify that an internal AD account that was initially used to verify that user on the Guest splash page is still valid - If the account is still live (account active / password not expired) then they're able to continue to connect by use of the cached mac, but if there are any issues with their account, then the splash page would be presented to them again, in order for them to re-validate with updated credentials.

     

    Thanks in advance

     

    Dan



  • 2.  RE: Guest MAC Caching - Dynamically removing endpoints from repository

    Posted Dec 19, 2017 11:45 AM
      |   view attached

    Quick update to my original post. Looking at the mac address of a cached device, I can see that the MAC expiry address is being applied to my mac address, but Clearpass doesn't seem to be actioning upon in. Does anyone have any pointers on where/how I can troubleshoot this. Screenshot of the endpoint entry attached.



  • 3.  RE: Guest MAC Caching - Dynamically removing endpoints from repository

    Posted Dec 19, 2017 12:20 PM
    Can you share a screenshot of the role mapping and enforcement policy


  • 4.  RE: Guest MAC Caching - Dynamically removing endpoints from repository

    Posted Dec 19, 2017 01:29 PM

    Screenshots attached as requested. For information, the SSID in use is for both external and in-house Guest, hence the multiple role configs.

     

    The employee/Role ID 3 is the one for which I'm trying to resolve the MAC caching issue.

     

    Thanks