Security

Reply
Highlighted
Occasional Contributor II

Clearpass Time Source attributes not written correctly to Endpoints DB

Hi,

 

I have got a strange issue using the Endpoint MAC-Auth Expiry = %{Authorization:[Time Source]:} attributes.

 

I used the default attributes and a couple of new ones.

MartinVerbon_0-1584444404766.png

For test I configured a custom one to use with Endpoint MAC-Auth Expiry in a Post_Authentication profile, and also used the default ones. But I see the same outcome with the default and the custom attribute.

 

Custom attr2.gif

After the authentication, this is the output I see. It is literally the configuration attributes in Time Sources and not the real Date Time format I would expect here. And this is the same for using the custom attribute.

Custom attr.gif

Custom attr3.gif

Because the output is not correct, this feature is not working. But I cannot discover what I am missing here to get it to work.

The result is the same when I view the MAC address in the endpoint DB, literally the configuration from the Time Source and not the Date Time itself. So this is not working.

MartinVerbon_0-1584446063066.png

Any ideas what I am missing here, or doing wrong?

 

Thanks in advance.

Best regards, Martin

 

 

 


Accepted Solutions
Highlighted
Occasional Contributor II

Re: Clearpass Time Source attributes not written correctly to Endpoints DB

Hi all,

 

Update.
I did some exports and this shows:
Alerts for this Request -
RADIUS: [Endpoints Repository] - localhost: User not found.\n[Guest Device Repository] - localhost: User not found.\nApplied 'Reject' profile

Not sure why. Because this happens not all the time.
I enabled in the portal Web Login, to update the endpoint in the DB to known. And since this no problems seen anymore.

So, I leave this with this configuration.

 

FYI, below the configuration I am using if someone has the same requirements in their environment. For test I use the 5 minutes MAC expiry, adjust this to your requirements.


Thanks Derin, for providing me the first hint regarding the [Time Source] into the Authorization.

 

Best regards,
Martin

 

foto1.giffoto2.giffoto3.giffoto4.giffoto5.giffoto6.gif

View solution in original post


All Replies
Highlighted
Aruba Employee

Re: Clearpass Time Source attributes not written correctly to Endpoints DB

Martin,

 

Have you added the [Time Source] into the Authorization section of the Service?

 

Regards Derin

Highlighted
Occasional Contributor II

Re: Clearpass Time Source attributes not written correctly to Endpoints DB

Hi Derin,

 

Oke, did added this now. Result is that the Date Time is now correctly written. Tested this with the custom attribute now_plus_5min

So the Endpoint is correctly updated:

Screen1.gif

But now the MAC-Auth Expiry does not work. The final piece of the puzzel. This is the role mapping

Screen2.gif

But it is still hitting rule 4, while Now DT is greater than the MAC-Auth Expiry. So access is granted instead of redirecting back to the portal.

Screen3.gif

And thus hitting rule 2 instead of rule 1.

 

In access tracker on the Authorization Attributes, my configured custom authorization attribute now_plus_5min is not there, but should be there.

Screen4.gif

The MAC-Auth Expiry is on the Compound Attributes however. But not working, Date-Time is later and I am still getting access.

Screen5.gif

Any tips on this how to get this to work?

 

Thanks and best regards,

Martin

Highlighted
Aruba Employee

Re: Clearpass Time Source attributes not written correctly to Endpoints DB

Everything implies that that logical check is true (ie now() < endpoint:MAC-Auth Expiry).

Are you seeing the [Guest] role being passed?

Highlighted
Occasional Contributor II

Re: Clearpass Time Source attributes not written correctly to Endpoints DB

Yes, I see this in the access tracker:

Screen6.gif

And unfortunately also the role MAC Caching while MAC expiry is active.

 

Endpoint attributes

Screen8.gif

Thx.

Highlighted
Occasional Contributor II

Re: Clearpass Time Source attributes not written correctly to Endpoints DB

Hi,

 

Short update.

I replaced the:

(Authorization:[Time Source]:Now DT LESS_THAN %{Endpoint:MAC-Auth Expiry})

with this one:

(Date:Date-Time LESS_THAN %{Endpoint:MAC-Auth Expiry})

 

So now this is working as expected, but now a new problem arises. 

 

What I want is use a click through portal, and then you have to use Anonymous Authentication for that. It is in combination with Cisco Wireless, Got that working as well. We want the Guests to go through authentication (click through) once a day. So that is why I wanted to use the Endpoint:MAC-Auth Expiry feature. This is working now, but now after the MAC expiry, I am getting a deny access for that MAC address because when I take a look at access tracker, the authentication source stays empty -> none. Why is this? Because the WEB Auth taking place first?

Screen9.gif

At the alerts TAB however, this is shown:

Screen10.gif

The endpoint is still in the database,unknown, but I am using:

Authentication Methods: [Allow All MAC AUTH]

So that cannot be the reason. So, it must be the empty Authentication source?

 

I am puzzled here. Anyone a suggestion?

 

Thx. Best regards, Martin

Highlighted
Aruba Employee

Re: Clearpass Time Source attributes not written correctly to Endpoints DB

Without seeing the Enforcement Policy I'm purely guessing - If you "export" the AccessTracker Event's detail will make this significantly simpler to understand what you are doing.

Irrespective "Access Denied by Policy" normally indicates that your failing in the Enforcement Policy. Chances are you are matching the Service's Default Profile.

Highlighted
Occasional Contributor II

Re: Clearpass Time Source attributes not written correctly to Endpoints DB

Hi all,

 

Update.
I did some exports and this shows:
Alerts for this Request -
RADIUS: [Endpoints Repository] - localhost: User not found.\n[Guest Device Repository] - localhost: User not found.\nApplied 'Reject' profile

Not sure why. Because this happens not all the time.
I enabled in the portal Web Login, to update the endpoint in the DB to known. And since this no problems seen anymore.

So, I leave this with this configuration.

 

FYI, below the configuration I am using if someone has the same requirements in their environment. For test I use the 5 minutes MAC expiry, adjust this to your requirements.


Thanks Derin, for providing me the first hint regarding the [Time Source] into the Authorization.

 

Best regards,
Martin

 

foto1.giffoto2.giffoto3.giffoto4.giffoto5.giffoto6.gif

View solution in original post

Highlighted
Aruba Employee

Re: Clearpass Time Source attributes not written correctly to Endpoints DB

Martin,

I don't understand why your original time checking logic did not work. I use something similar and it works fine - thankfully the Date:Date-Time worked

 

Also keep in mind the first time the device connects it will not exist in any database - ie Authorization:[Endpoints Repository]:Status Not_Exist

If you do not use the profile [Update Endpoint Known] (ie sets the [Endpoints Repository]:Status=Known) on subsequent connections wil have Authorization:[Endpoints Repository]:Status=Unknown.

Further, if you are doing "quick" testing make sure you check that the [Endpoints Repository] Authentication Source's Cache Timeout = 0.

This is often set at 300s. Using 0 will disable caching.

Finally, if you delete a device out of the Endpoints give the system 3-5 minutes to clean itself up before re-testing. I've never got to the bottom of this but if you don't you can get some unexpected results.

Highlighted
Occasional Contributor II

Re: Clearpass Time Source attributes not written correctly to Endpoints DB

Hi Derin,

 

Thanks for the extra information, great tips and I will keep this in mind in further testing. I'm not quite done yet with all the testing before we will implement this in production. So thanks.

 

Best regards, Martin

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: