Security

Reply
Highlighted
Contributor I

ClearPass 6.5 with mac-caching auth an expired user can still connect

Hi all,

 

I'm using CPPM 6.5 for an hotspot SSID with guest self-registration, social login and mac-auth/caching.

My issue is when a guest account turns expired, the client is still able to access the network and the login status on the access tracker is accept.

 

In the alert tab I got this message: "Policy server Failed to get value for attributes=[AccountEnabled, AccountExpired]", seems like is not able to read into the Guest user repository DB to look for those values.

 

I've created the 2 mac authentication rules using the "Guest authantication with mac caching" template.

 

I've looked around here in the community as well but I'm not able to find anything and I'm stuck with the problem.

 

Anyone with the same issue?

 

Thank you.

 

Cheers,

Gabriel


Accepted Solutions
Highlighted
Aruba Employee

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Sorry, I made a mistake and edited my post. Can you not configure the guestlogin role in Airwave instant config?

Thanks,

Zach Jennings

View solution in original post


All Replies
Highlighted
Moderator

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Do you have the guest user repository as an authorization source for the MAC-auth service?



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor I

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Hi Tim,

 

yes I have as the screenshot below:

 

Cattura.JPG

Highlighted
Moderator

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Please post your role mapping and enforcement policies.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor I

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Sure, here below both screenshot:

Role.JPG

 

Enforcement.JPG

Gabriel

Highlighted
Moderator

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Hm. Can you post the access tracker request with the different tabs?



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor I

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Here all the  screenshots:

 

1summary.JPG

2input.JPG

2input2.JPG

2input3.JPG

3output.JPG

4Alerts.JPG

 

Gabriel

Highlighted
Aruba Employee

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

ClearPass is working as expected. The captive portal role is being returned in the RADIUS response. The problem is on the controller side. Does the Aruba User role match exactly: guestlogin?

 

Thanks,

Zach Jennings
Highlighted
Contributor I

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Hi Zach,

as I'm using instant APs managed by Airwave, I can't find where I can configure that into the group instant config tab.

 

But shouldn't be ClearPass that automatically reject the connection (because the user is expired) and so the client goes on the captive portal? 

 

Thank you.

Gabriel

Highlighted
Aruba Employee

Re: ClearPass 6.5 with mac-caching auth an expired user can still connect

Sorry, I made a mistake and edited my post. Can you not configure the guestlogin role in Airwave instant config?

Thanks,

Zach Jennings

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: