New Contributor

Cert based authentication ClearPass

We have set up certificate based authentication via AirWatch for mobile devices and GPO for windows pc's. Cisco Meraki AP's in place. Everything was working well until we made changes to our role mappings for dot1x wifi. In order to pull valuble reports on Insights, we added roles (Device: Business Unit "equals" xxx) This allows us to sort devices based on BU as well as location. Our enterprise is enormous. Initially, roles were set to "select first match". We changed to select all matches. Either its a coincidence or this change has bricked some connections causing the device to either not connect to our ap's and is now letting personal devices (not managed with AirWatch) to auth using AD creds. ClearPass was previously set up by a ClearPass engineer. Any help would be greatly appriciated. 

Mitch Hare
MVP Guru

Re: Cert based authenticatoin ClearPass

It is possible that some of the policies rules may not be in the correct order or not defined with the proper tips role

Can you share the role mapping and policy enforcement

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
New Contributor

Re: Cert based authenticatoin ClearPass


1.(Authentication:Source  EQUALS  FGA AD) 
AND  (Endpoint:Ownership  EQUALS  Corporate)
FGA Mobile Device
2.(Authentication:Source  EQUALS  FGA AD) 
AND  (Authentication:OuterMethod  EQUALS  EAP-TLS)
FGA Domain Access
3.(Authentication:Source  EQUALS  FGA AD) 
AND  (Authentication:Status  EQUALS  Machine) 
AND  (Authorization:[Endpoints Repository]:Device Name  NOT_EQUALS  Windows XP)
FGA Domain Access
4.(Authentication:Source  EQUALS  FGA AD) 
AND  (Endpoint:FGA Domain Computer  EQUALS  true)
FGA Domain Access
5.(Authentication:Source  EQUALS  FGA AD) 
AND  (Authorization:[Endpoints Repository]:Device Name  NOT_EQUALS  Windows XP)
FGA Domain Users Role
6.(Device:Business Unit  EQUALS  Shared)Shared Role
7.(Device:Business Unit  EQUALS  Student)Student Role
8.(Device:Business Unit  EQUALS  Transit)Transit Role
9.(Device:Service Mode  EQUALS  Enforce Mode)Enforcement Mode
10.(Device:Service Mode  EQUALS  Monitor Mode)

Monitor Mode


1.(Tips:Role  EQUALS  [TACACS Super Admin])[Allow Access Profile]
2.(Tips:Role  EQUALS  FGA Mobile Device) 
AND  (Connection:NAD-IP-Address  BELONGS_TO_GROUP  Remote Access Points)
[Update Endpoint Known], FGA VLAN 75, FGA Endpoint Location and BU Update
3.(Tips:Role  EQUALS  FGA Mobile Device)[Update Endpoint Known], FGA VLAN 999, FGA Endpoint Location and BU Update
4.(Tips:Role  EQUALS  FGA Domain Access) 
AND  (Tips:Posture  EQUALS  HEALTHY (0))
[Update Endpoint Known], FGA Domain Computer TAG, FGA Endpoint Location and BU Update
5.(Tips:Role  EQUALS  FGA Domain Access) 
AND  (Tips:Posture  NOT_EQUALS  HEALTHY (0))
[Update Endpoint Known], FGA Domain Computer TAG, FGA Meraki Quarantine, FGA Computer UnHealthy Enforcement Profile, FGA Endpoint Location and BU Update
6.(Tips:Role  EQUALS  FGA Domain Users Role) 
AND  (Connection:NAD-IP-Address  BELONGS_TO_GROUP  Remote Access Points)
FGA VLAN 75, FGA Endpoint Location and BU Update
7.(Tips:Role  EQUALS  FGA Domain Users Role)FGA VLAN 999, FGA Endpoint Location and BU Update
Mitch Hare
New Contributor

Re: Cert based authenticatoin ClearPass


Mitch Hare
MVP Expert
MVP Expert

Re: Cert based authenticatoin ClearPass

Hi Mitch,


first of all I'd say a change from first match to match all is a "dangerous action", if not knowing super precisely how the policy is designed/working.


Before your change each request was assigned only one role. Now it may be assigned more than one role. Since a line in enforcement policy is selected by assigned roles, this can have huge impact.


E.g. some user/device before may have been assigned the role "FGA Domain Access" only. Now, the same request may be assigned the two roles "FGA Domain Access" and "FGA Domain User Role". E.g. if device name is not "Windows XP".


Before, if none of the enforcement rules matched for role "FGA Domain Access", the request was denied.


Now, since that request also has role "FGA Domain User Role", suddenly line 7 of your enforcement policy will be evaluated. The request which was denied with "first match" setting will now be allowed, just because you changed to "match all".


You should check access tracker and compare the logins befor and after your change. You should see, which roles were assigned additionaly and which enformcement profiles were send to NAS based on these roles.

If my assumptions were right, afterwards you either can rework conditions in your role mapping, so that only one of the "FGA" roles will be assigned or change conditions in your enforcement policy so that having more than one of the "FGA" roles doesn't have negative impact. I prefere the latter.


Regards, Jö

Please give kudos, if you like my post.
Please Accept as solution, if my post was helpful.

Re: Cert based authenticatoin ClearPass

As mentionned, the issue is because you changed the rules evaluation algorithm to "Evaluate All".

The Airwatch managed mobile devices were first matching condition #1 in the role mapping when part of Airwatch.


Now with Evaluate All, even without being managed by Airwatch, they fullfill the conditions on condition #5

from the role mapping and get tagged with "FGA Domain Users Role". Since they receive this tag, they are getting pushed

the according enforcement profile.


Going to Monitoring -> Audit Viewer will help you rolling back the changes if needed

Satori Internetworking
Search Airheads
Showing results for 
Search instead for 
Did you mean: