Higher Education

So I am trying to get a little more granular with my Roles so that it is easier for our help desk gang to troubleshoot wireless issues with students and staff/faculty. So as an example I have set up two roles:

 

CFCC-IT-Staff-DT = IT staff members at our down town campus on a school owned device

CFCC-IT-Staff-POD-DT = IT staff members at our down town campus on a personally owned device

So now the issue is that for some reason everyone (IT wise) is getting the POD role even when they are on a school owned device (i.e.. Tips:Role; Domain Computers). I have been through the roles and enforcement policies until I am about bats#$t crazy and it all looks correct to me. So my question is this, could this be an issue due to the Rules Evaluation Algorithm being set to Select First Match as opposed to Select All Matches?

 

As always, any help or advice is greatly appreciated :-)

Role mapping should always be configured for match any in an identity role map. When you look at the access tracker request, does it have all of the expected TIPS roles?

When we initially set up ClearPass, we had the assistance of a ClearPass Engineer. Here is what we check for Windows computers in the University.liberty.edu domain.

 

<RuleAttribute displayValue="University.liberty.edu" value="University.liberty.edu" operator="CONTAINS" name="servicePrincipalName" type="Authorization:SENSENET Domain"/>

That's the weird thing Cappy, Domain Computer does not show up in Access Tracker even though it should, the pic example doesn't show it even though it should be. AND other roles that I use Domain Computers for it show up in Access Tracker just fine...

(this is for my laptop which is a school owned device and thus should be showing properly)

 

(this is an example of one of my machine auth devices which uses the Domain Computers role and it shows up/works just fine)

 

I don't get it....

 

 

 

You would want to use the [Machine Authenticated] token instead of your
Domain Computer TIPS roles. The [Machine Authenticated] token has an
independent, configurable cache timeout.

---

@cappalli wrote:
You would want to use the [Machine Authenticated] token instead of your
Domain Computer TIPS roles. The [Machine Authenticated] token has an
independent, configurable cache timeout.

---

A little confused on this one Tim, why would I want to use the Machine Auth toke on a non machine auth device?

No, this would be for your Domain joined machines which is the first rule
you're trying to hit correct?

All of our school owned laptops (as an example) are joined to AD, only the the ones that are used in our wireless computer labs are set up for machine auth (i.e. sitting on a separate VLAN waiting for either staff or student to log in and then getting what ever role depending on their AD log in) So I don't have any problem with the machine auth machines, but with other AD joined devices.

 

Make sense?

You would need to use machine authentication to make this work.



Can you post (or DM) a screenshot of your role map?

---

@cappalli wrote:
You would need to use machine authentication to make this work.



Can you post (or DM) a screenshot of your role map?

---

Sent to you in a PM

 

Thanks for taking a look!

I finally got this one figured out with the help of TAC. What was going on was that I had stopped using the Endpoints Repository for role mapping points as it had proved its self to me several times as being unreliable. Little did I know this was actually due to me missing some set up steps many many moons ago.

 

As I discovered via TAC, the reason my Endpoint Repository was not reliable was because I was not feeding it properly. (yes, you can feed it after midnight but no, you cannot get it wet) Of all the VLANs I had involved with wireless access, only one of them had my ClearPass box set as a DHCP helper. As was explained to me by TAC, ClearPass gets most of its device information via DHCP requests, so if it is not getting the requests, it's database will not be complete. He also reassured me that the CPPM box will never actually respond to a DHCP request, it just reads the information from it. 

 

Since that TAC call (which was a marathon 4 hour call) I have added my ClearPass box as a DHCP helper for all VLANs in question and within fifteen to twenty minutes all of my roles were being read correctly and have been stable since.

 

So Cappy and all the gang, thanks again for all of the help and insight, much appreciated!

Our domain computer role only applies wneh nobody is logged in sionce Windows does not do both user + computer authentication at the same time.