Community Feedback

Reply
Highlighted
Occasional Contributor II

CLEARPASS GUEST DB has user that is supposed to be in AD

We have 1 user that uses google pixel 3.x phone.  I can login to the phone using my AD credentials and the phone is treated as guest but has an AD account.  However, if we try his login it is saying invalid username and password.  After several changes on his password, the result is still the same.  Further troubleshooting on ClearPass shows that the user that has AD credentials also has an entry on the Guest DB database.  Now another user which is an employee is having the same issue when he tries his company laptop to connect to the Guest WIFI.  It also says that he has an entry in the Guest DB that is why he can't authenticate via AD.  If I go to Configuration > Services > Summary tab 
Authentication sources is 
1.  Guest User Repository

2.  Office AD

Please let me know what other logs or troubleshooting I need to do in order to see more granularity and also if you could suggest a workaround or solution for this issue.

Highlighted
MVP Guru

Re: CLEARPASS GUEST DB has user that is supposed to be in AD

ClearPass will check the authentication sources in order of listing (Guest, AD in your case).

 

For each source ClearPass will check if the user account exists in that one, and if it exists use (only) that source for authentication.

 

That means that if you have the same username in both authentication sources, an authentication against the guest database will happen en AD will not be tried.

 

Do you need the Guest DB in there? If not remove.

Do you want the AD to be checked first, and fallback to guest? Change the order to first list AD.

 

From your explanation is it not possible to find the intended/designed way of working. If you are not fully confident in what you are doing, I'd recommend to involve a professional to do the design and make the needed changed. For an authentication solution it is important that you understand and correctly design and implement the policy.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
Occasional Contributor II

Re: CLEARPASS GUEST DB has user that is supposed to be in AD

Hi Herman,

 

Our employees can connect to the guest network but can be authenticated using their AD credentials,  That is how we differentiate contractors from our employees using the guest WiFi network.

 

What we can't comprehend why this user cannot authenticate using his AD credentials?  The logs are saying that his username is already in the Guest DB therefore would not use the AD as the source of its authentication.

 

Please let me know what logs you need from me as well.  Thank you.

 

 

Highlighted
MVP Guru

Re: CLEARPASS GUEST DB has user that is supposed to be in AD

Please check the previous reply on how ClearPass checks the different authentication sources. If there is a collision in user names, you have to decide which one is tried first. If the business logic would be: Check if someone is an employee in AD, if so authenticate to AD, else authenticate to the ClearPass Guest/User database; then you should list AD first then the other services.

 

You could share your service configuration and the summary, output and alert tab of access tracker here. It is probably more effective to contact your Aruba partner or Aruba Support as they can explain you in your specific environment why this is happening and then discuss/advise for the best solution as there can be multiple possible solutions.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
Occasional Contributor II

Re: CLEARPASS GUEST DB has user that is supposed to be in AD

We found the culprit and it's not the different authentication sources and how they should be prioritized.  The unique device count exceeded the maximum limit of 10 in our settings.  So a user is only allowed maximum of ten devices to connect to our Guest WIFI.  Supposed to be the guest devices for employees expires after 7 days, but it seems that those devices did expire but was never removed from the Database.  Any thoughts?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: