You have a service for a Secure SSID with Radius authentication, but use role mapping for guest authentication with MAC address caching. This does not match.
In role mapping, you query properties from the endpoints. However, these must also be present in the endpoint. You can set them using enforcement profiles, but you don't do that. Do you set them manually? If not, your role mapping always returns [Other] as the result.
In the enforcement you query Unique-Device-Count. For this to work, the name of the user currently logged in must be stored in the Username attribute in the endpoint. Your enforcement profiles do not do this. Do you set them manually? If not, Authorization:[Endpoints Repository]:Unique-Device-Count is always equal to 1, so ClearPass can never detect how many endpoints the user has used.
Your enforcement either sends an ACCEPT - if one of the conditions from 1 to 4 is fulfilled. If none of the conditions are met, a REJECT is sent. It is not checked at any point whether it is an Androin or an IOS device.
Please post the result from the access tracker - all tabs. Once for Android device and once for OIS device.
Do the IOS and Anfriod devices connect to the same SSID?
Check in the WLAN Controller whether Android and IOS device get different Aruba user roles.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Feb 22, 2024 02:48 AM
From: Traker
Subject: Whatsapp ios Clearpass
Thank you, you were really kind, I think it's a controller problem, little by little I managed to get out of it.
Original Message:
Sent: 2/22/2024 2:23:00 AM
From: jonas.hammarback
Subject: RE: Whatsapp ios Clearpass
I don't understand the thoughts behind the configuration provided in the screenshots. The role mapping policy is the default guest role mapping policy for MAC caching and in the enforcement policy you have four rules all returning just and Accept back to the controller.
With this setup it doesn't matter what role you assign the users under the Local User Repository, as it looks like you are using this repository. With the size of your organisation you shouldn't use the Local User Repository, instead the corporate directory such as Active Directory, Entra ID, or a generic LDAP.
If the iPhone authenticates OK in ClearPass, it's the same result sent back to the controller as a Android. ClearPass is not the root cause of your problem, but I recommend that you contact an Aruba SE or Aruba Partner with ClearPass knowledge to help you with the configuration. Also check the Airheads Broadcasting channel on Youtube with the ClearPass series: https://www.youtube.com/watch?v=bnOGv6sN804&list=PLsYGHuNuBZcbZPEku1zxkfpn2k_O_MENo
You have to check the controller configuration. Only way I can think of that can cause different access for Android and iPhone in this case is if the Android successfully authenticates with 802.1x and the iPhone with MAC auth. In that situation the controller will utilize the respective default roles for 802.1x and MAC auth. If these roles are different and have the MAC auth role have firewall rules blocking some ports you can end up in this situation.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Feb 21, 2024 03:10 PM
From: Traker
Subject: Whatsapp ios Clearpass
.