Security

Hi,

I have got a strange issue using the Endpoint MAC-Auth Expiry = %{Authorization:[Time Source]:} attributes.

I used the default attributes and a couple of new ones.

For test I configured a custom one to use with Endpoint MAC-Auth Expiry in a Post_Authentication profile, and also used the default ones. But I see the same outcome with the default and the custom attribute.

After the authentication, this is the output I see. It is literally the configuration attributes in Time Sources and not the real Date Time format I would expect here. And this is the same for using the custom attribute.

Because the output is not correct, this feature is not working. But I cannot discover what I am missing here to get it to work.

The result is the same when I view the MAC address in the endpoint DB, literally the configuration from the Time Source and not the Date Time itself. So this is not working.

Any ideas what I am missing here, or doing wrong?

Thanks in advance.

Best regards, Martin

Martin,

Have you added the [Time Source] into the Authorization section of the Service?

Regards Derin

Hi Derin,

Oke, did added this now. Result is that the Date Time is now correctly written. Tested this with the custom attribute now_plus_5min

So the Endpoint is correctly updated:

But now the MAC-Auth Expiry does not work. The final piece of the puzzel. This is the role mapping

But it is still hitting rule 4, while Now DT is greater than the MAC-Auth Expiry. So access is granted instead of redirecting back to the portal.

And thus hitting rule 2 instead of rule 1.

In access tracker on the Authorization Attributes, my configured custom authorization attribute now_plus_5min is not there, but should be there.

The MAC-Auth Expiry is on the Compound Attributes however. But not working, Date-Time is later and I am still getting access.

Any tips on this how to get this to work?

Thanks and best regards,

Martin

Everything implies that that logical check is true (ie now() < endpoint:MAC-Auth Expiry).

Are you seeing the [Guest] role being passed?

Yes, I see this in the access tracker:

And unfortunately also the role MAC Caching while MAC expiry is active.

Endpoint attributes

Thx.

Hi,

Short update.

I replaced the:

(Authorization:[Time Source]:Now DT LESS_THAN %{Endpoint:MAC-Auth Expiry})

with this one:

(Date:Date-Time LESS_THAN %{Endpoint:MAC-Auth Expiry})

So now this is working as expected, but now a new problem arises. 

What I want is use a click through portal, and then you have to use Anonymous Authentication for that. It is in combination with Cisco Wireless, Got that working as well. We want the Guests to go through authentication (click through) once a day. So that is why I wanted to use the Endpoint:MAC-Auth Expiry feature. This is working now, but now after the MAC expiry, I am getting a deny access for that MAC address because when I take a look at access tracker, the authentication source stays empty -> none. Why is this? Because the WEB Auth taking place first?

At the alerts TAB however, this is shown:

The endpoint is still in the database,unknown, but I am using:

Authentication Methods: [Allow All MAC AUTH]

So that cannot be the reason. So, it must be the empty Authentication source?

I am puzzled here. Anyone a suggestion?

Thx. Best regards, Martin

Without seeing the Enforcement Policy I'm purely guessing - If you "export" the AccessTracker Event's detail will make this significantly simpler to understand what you are doing.

Irrespective "Access Denied by Policy" normally indicates that your failing in the Enforcement Policy. Chances are you are matching the Service's Default Profile.

Hi all,

Update.
I did some exports and this shows:
Alerts for this Request -
RADIUS: [Endpoints Repository] - localhost: User not found.
[Guest Device Repository] - localhost: User not found.
Applied 'Reject' profile

Not sure why. Because this happens not all the time.
I enabled in the portal Web Login, to update the endpoint in the DB to known. And since this no problems seen anymore.

So, I leave this with this configuration.

FYI, below the configuration I am using if someone has the same requirements in their environment. For test I use the 5 minutes MAC expiry, adjust this to your requirements.

Thanks Derin, for providing me the first hint regarding the [Time Source] into the Authorization.

Best regards,
Martin

Martin,

I don't understand why your original time checking logic did not work. I use something similar and it works fine - thankfully the Date:Date-Time worked

Also keep in mind the first time the device connects it will not exist in any database - ie Authorization:[Endpoints Repository]:Status Not_Exist

If you do not use the profile [Update Endpoint Known] (ie sets the [Endpoints Repository]:Status=Known) on subsequent connections wil have Authorization:[Endpoints Repository]:Status=Unknown.

Further, if you are doing "quick" testing make sure you check that the [Endpoints Repository] Authentication Source's Cache Timeout = 0.

This is often set at 300s. Using 0 will disable caching.

Finally, if you delete a device out of the Endpoints give the system 3-5 minutes to clean itself up before re-testing. I've never got to the bottom of this but if you don't you can get some unexpected results.

Hi Derin,

Thanks for the extra information, great tips and I will keep this in mind in further testing. I'm not quite done yet with all the testing before we will implement this in production. So thanks.

Best regards, Martin