Security

Hi All,

 

i've run into an ugly situation where my CPPM Server's are not recording licence count for users of the system. 

 

This appears to be due to my NAS (F5 APM / Juniper SA/SSG) not sending a MAC address through in the RADIUS requests ( they are just using generic RADIUS with MSCHAP)

 

Has anybody else encountered this issue and if so how did you work around it?

 

i'm thinking i may need to customise the attributes send somehow so that the MAC address of either the user or NAS is sent to ClearPass. 

 

This presents another issue, if i force a static MAC address from my VPN device, how can ClearPass accurately track the number of users / endpoints when the authentication is effectively done by 1 device, and as such is only 1 endpoint as far as clearpass is concerned. 

 

Scott

 

Could you share an export of an Access Tracker event where this occurs?

Hi clembo. 

 

screenshots attached. It seems the issue (according to TAC / Engineering) is the lack of End-Host identifier which is used to track the user in the licence db.

 

Scott

Time Message
2015-01-08 11:25:30,576 [Th 135 Req 2387140 SessId R00246cc4-20-54adce7a] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 105:75:CID
2015-01-08 11:25:30,581 [Th 135 Req 2387140 SessId R00246cc4-20-54adce7a] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "AD-Auth-Service"
2015-01-08 11:25:30,581 [Th 135 Req 2387140 SessId R00246cc4-20-54adce7a] INFO RadiusServer.Radius - rlm_ldap: searching for user <USERNAME> in AD:<WINDOWS DOMAIN>
2015-01-08 11:25:30,581 [RequestHandler-1-0x7f33d33b9700 r=psauto-1417832412-4774289 h=607 r=R00246cc4-20-54adce7a] INFO Core.ServiceReqHandler - Service classification result = AD-Auth-Service
2015-01-08 11:25:30,584 [Th 135 Req 2387140 SessId R00246cc4-20-54adce7a] INFO RadiusServer.Radius - rlm_ldap: found user <USERNAME> in AD:<WINDOWS DOMAIN>
2015-01-08 11:25:30,584 [Th 135 Req 2387140 SessId R00246cc4-20-54adce7a] INFO RadiusServer.Radius - rlm_ldap: authenticating "<USERNAME>"
2015-01-08 11:25:30,602 [Th 135 Req 2387140 SessId R00246cc4-20-54adce7a] INFO RadiusServer.Radius - rlm_ldap: user <USERNAME> authenticated succesfully
2015-01-08 11:25:30,602 [Th 135 Req 2387140 SessId R00246cc4-20-54adce7a] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
2015-01-08 11:25:30,604 [RequestHandler-1-0x7f33d33b9700 r=psauto-1417832412-4774290 h=655 r=R00246cc4-20-54adce7a] WARN Common.MacAddrAttrProvider - HostMac missing, not populating different mac representations
2015-01-08 11:25:30,604 [RequestHandler-1-0x7f33d33b9700 r=psauto-1417832412-4774290 h=655 r=R00246cc4-20-54adce7a] INFO TAT.TagAttrTableUtil - buildTagAttrTableInput: Connection:Client-Mac-Address is not found
2015-01-08 11:25:30,604 [RequestHandler-1-0x7f33d33b9700 r=psauto-1417832412-4774290 h=655 r=R00246cc4-20-54adce7a] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3014 entity id = 29
2015-01-08 11:25:30,604 [RequestHandler-1-0x7f33d33b9700 r=psauto-1417832412-4774290 h=655 r=R00246cc4-20-54adce7a] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3014
2015-01-08 11:25:30,604 [RequestHandler-1-0x7f33d33b9700 r=psauto-1417832412-4774290 h=655 r=R00246cc4-20-54adce7a] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3014|entityId=29
2015-01-08 11:25:30,604 [RequestHandler-1-0x7f33d33b9700 r=psauto-1417832412-4774290 h=655 r=R00246cc4-20-54adce7a] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3014|entity=Device
2015-01-08 11:25:30,604 [RequestHandler-1-0x7f33d33b9700 r=psauto-1417832412-4774290 h=655 r=R00246cc4-20-54adce7a] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2015-01-08 11:25:30,604 [RequestHandler-1-0x7f33d33b9700 r=psauto-1417832412-4774290 h=655 r=R00246cc4-20-54adce7a] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2015-01-08 11:25:30,604 [RequestHandler-1-0x7f33d33b9700 r=psauto-1417832412-4774290 h=655 r=R00246cc4-20-54adce7a] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
2015-01-08 11:25:30,604 [RequestHandler-1-0x7f33d33b9700 r=psauto-1417832412-4774290 h=655 r=R00246cc4-20-54adce7a] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2015-01-08 11:25:30,605 [RequestHandler-1-0x7f33d33b9700 h=40582312 c=R00246cc4-20-54adce7a] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
2015-01-08 11:25:30,605 [RequestHandler-1-0x7f33d33b9700 h=40582312 c=R00246cc4-20-54adce7a] INFO Core.PETaskScheduler - ** Starting PETaskAuthSourceRestriction **
2015-01-08 11:25:30,605 [RequestHandler-1-0x7f33d33b9700 h=40582312 c=R00246cc4-20-54adce7a] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping **
2015-01-08 11:25:30,605 [RequestHandler-1-0x7f33d33b9700 h=40582313 c=R00246cc4-20-54adce7a] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map

So after much waiting i have an answer to this problem. ClearPass only uses the end host identifier attribute to count license utilisation. When this isn't sent by the NAD (such as a firewall / vpn device) then ClearPass can't count the users. Apparently there will be a new licensing model released in 6.5.1 which will correct this issue. Scott