Security

I have a user who is not able to authenticate using 802.1x on ClearPass. He is able to logon to his computer and email using the same Activate Directory account but is not able to authenticate using ClearPass. He has tried on multiple devices and he still cannot authenticate. As far as I can see he is the only who has complained so out of a thousand users. Please see logs, I have removed some sensitive information from them.  

Attachment(s)

Dashboard_Details.txt   2 KB 1 version

DashboardDetails.zip   10 KB 1 version

He is being denied by Policy which means the conditions defined under Enforcement Policy for him to get a role is not getting fulfilled. 

Check Access Tracker and compare why isn't he hitting any of your policies and being sent a [Deny Access Profile] else contact TAC for quicker resolution.

Thanks for the quick reply. I have already checked  Access Tracker and he shouldn't be denied according to the logic. He's account is in good standing, part of the OU that is been queried, and he inputting the right credentials in order to login.  

Credentials is not an issue as far as I see here.

If a simple/default allow access profile allows him then you can validate the same. You can create a service on top of your existing one for that user only to play with it. If required, use TAC

Screnshots of your role mapping/enforcement would be helpful.

But he's getting the roles [Other], [User Authenticated]

Based on what I see in your enforcement policy, that doesn't match any rule you have, so he'll get the default rule (Deny Access)

So you need to look in your input tab, at your authorization tab, see which OU clearpass sees, and make sure that is included in your role mapping

The user is now able to logon without changing anything on his part.