Security

 View Only
Expand all | Collapse all

rejected in clearpass

This thread has been viewed 45 times
  • 1.  rejected in clearpass

    Posted 11 days ago

    Hi, Can someone please help me fix? users are not profiled in clearpass hence rejected... thank you for any help



  • 2.  RE: rejected in clearpass

    Posted 11 days ago

    Are you sending client DHCP request to your ClearPass? 

    Generally you need ip helper command on your router/switch to also point to IP address of ClearPass. This way ClearPass will see the DHCP request and can use it for profiling.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: rejected in clearpass

    Posted 11 days ago
    Yes I have already checked that. Also there are other devices able to connect and get the correct profile as well albeit a different laptop model 


    Sent from my iPhone





  • 4.  RE: rejected in clearpass

    Posted 10 days ago

    what do yo see if you check that failed client's MAC address in the endpoint repository? do you see any attributes/categories?

    also what ClearPass version are you running?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: rejected in clearpass

    Posted 9 days ago

    In order to profile new/unknown devices, you would need to provide them with some form of access. If you reject the authentication, there is no network connectivity at all, so there won't be profiling possible.

    One solution would be to add a rule at the bottom of your enforcement policy that just checks for [User Authenticated] (and not further roles) and assign an enforcement that is acceptable for unknown devices, like internet only or even just DHCP such that profiling can happen.

    In general, you should not reject authentications, but instead accept those with strict needed or acceptable limited access.

    BTW, you probably should not use PEAP. Encryption for that is broken and unless you fully control your client devices really well, you should consider the user (or computer) credentials to be exposed.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: rejected in clearpass

    Posted 8 days ago

    Hi Herman,

    like this?




  • 7.  RE: rejected in clearpass

    Posted 8 days ago

    Hi.

    We can see that you just deny access when device has not yet been profiled. As Hermman wrote, you need to allow access to the network for device to be profiled. So change [Deny Access Profile] to something else, for example to profiling vlan or profiling role with minimal network access. Then device will be able to receive IP address via DHCP and send some data and be profiled by clearpass.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 8.  RE: rejected in clearpass

    Posted 8 days ago

    I'm don't think that Full-Username has the value 'username'; I typically use 'Tips:Role EQUALS [User-Authenticated]'; so like your rule 4 but without the other Role matches.

    As Gorazd mentions, you can set the default enforcement profile as well, but I personally prefer to use the Tips:Role EQUALS [User-Authenticated] as it's always true for authenticated users, but more because it makes your policy more explicit. You see immediately what the policy does at the bottom, where if it falls through to the default poilicy, it's a bit harder to read.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: rejected in clearpass

    Posted 8 days ago

    Hi Sir,

    I have removed the PEAP conditons and just now have two. I am not really sure if I still actually need to replace the Auth Peap Role conditions or having these two conditions only but changing the default provile to Allow access Profile and not deny? also how do I accomplish this? "assign an enforcement that is acceptable for unknown devices, like internet only or even just DHCP such that profiling can happen. In general, you should not reject authentications, but instead accept those with strict needed or acceptable limited access." Thank you so much




  • 10.  RE: rejected in clearpass

    Posted 8 days ago

    Hi Joseph.

    1. Move rule 2 to first position
    2. Change enforcement action of this rule (PROFILE-ME_ROLE) from [Deny Access Role] to something else. For start you can use [Allow Access Profile] just to see, if device get profiled.

    When this test is successful, then create a new enforcement profile that will allow DNS and DHCP traffic and HTTP(s) (80, 443) to Clearpass server (if desired). Please read Wired Policy Enforcement Solution Guide for details. You can provide a notification page to the client so it is informed that profiling is going on and need to wait a little bit before it will be allowed to the network.

    Best, Gorazd 



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 11.  RE: rejected in clearpass

    Posted 9 days ago

    Herman explain this very nicely. Usually you use profiling vlan or profiling role - if you don't like to change ip address, with minimal access like DNS, DHCP, HTTP(s) to Clearpass - if you like to show any messages during profiling, and any other required access if needed. This will allow Clearpass to receive required information for profiling.

    Check Wired Policy Enforcement Solution Guide for details, examples and best practices. Principles in this guide are relevant for Wireless clients also. 

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------