Security

Hi,

 

I have a MacTrac device registration implementation based on the following: http://community.arubanetworks.com/t5/Security/How-To-Advanced-Device-Registration-in-ClearPass-November-MHC/td-p/217291

 

One issue I have noticed is that when an end user removes a previously created device from within CPG it does not also remove it from the Endpoints Repository.

 

Is there any magic you can think of that might work around this?

 

Cheers

Shaun

 

 

I also see a vice versa,

 

Whereby a device is MAC Authenticated with User Caching but does not show up within CPG.

 

Any ideas on how to marry the two together?

 

Cheers

Shaun

Hmm.. Can you verify that you are indeed using Guest Device Repository as authentication source? It sounds like you are using Endpoint Repository - which is the more common/default MACAUTH implementation

That's by design. The endpoint repository is designed to hold information that ClearPass discovered about the device (profile information, etc). There should be no need for it to be removed.

Don't think you read the whole post there Tim. His mac-auth service doesn't take into account the state of the device in the Guest Device Repository. If the device was removed in Guest Device Repository - the mac-auth should fail. To me that looks like it's authenticating based purely on Endpoint database information.

Then the service is misconfigured. Be sure that [GDR] is above [ER] in your authentication source list in the service. Also be sure you're using Allow All MAC Auth.

Yep spot on it was a misconfigured service, I have configured how you described and all is now Ok.

 

Thanks all

 

Chhers

Shaun