Security

Reply
Occasional Contributor II

Clearpass machine auth cache

I see in the configuratiion of the server on the top right of the screen there is a clear machine authentication cache link. This is good for clearning either per node or system-wide (appears to be a system wide option in 6.7) but is there a way to clear a specific targeted machine auth vs the entire cache? Also can you view the machine auth cache DB to dteremine time left for systems? 

Guru Elite

Re: Clearpass machine auth cache

No, there is not. You can, however, create your own machine auth cache rules using endpoint attributes.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Clearpass machine auth cache

You cannot remove a single machine from the cache or you cannot view the entire cache to see when a system's cache time is up? Which one, or do you mean no to both? Thank you for the reply and the help! I just need some clarification. 

 

Jeff 

Guru Elite

Re: Clearpass machine auth cache

Neither are possible.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Clearpass machine auth cache

Okay thank you very much for the assistance with this. 

Occasional Contributor II

Re: Clearpass machine auth cache

One last question on the machine cache. Since we are using PEAP and MS-CHAP for the inner, does CPPM see the same system via the system name regardless of wired or wireless connection? Scenario, PC boots up on wired and does a successful machine auth. User logs in and CPPM checks to ensure the a previous machine auth occured which it will find in the cache. User is then allowed on (mach + user auth required). When the same user switches to wireless and the wireless authentciation happens, I assume that a machine auth will not be required since the wired auth occured and the system is still cached. I know the MAC's are different but system name is the same. My concern is when a user switches to wireless they are being allowed on, and no machine auth shows in access tracker and I am just curious how CPPM is tying the wireless attempt to the wired machine auth given no system name has been sent by the machine for the wireless connection. Do we have a configuratioon error in CPPM possibly? 

Highlighted
Guru Elite

Re: Clearpass machine auth cache

No, it’s per network interface. EAP-TLS should be used if you require a consistent identity.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Clearpass machine auth cache

Thank you, we have switched to EAP-TLS as the machine auth method at this poitn and things are working much better. THank you for the advice. I did notice in the on teh clearpass server for the EAP-TLS authetication method that there are a couple options checked that I am unsure of. Session resumption and session timeout. I think I know what session resumption provides, and for that to work I would need the fast reconnect configured on the supplicant correct? 

ANd I am not sure what the session timeout is all about. We have customized that down to 1 hour from 6, but that was done awhile ago and I have no idea why. Could you please advise what that setting is all about? I have drawn no info on the searches so far. Thank you for all the help! 

 

Jeff 

Guru Elite

Re: Clearpass machine auth cache

You can disable session resumption. It is not supported across a cluster.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Clearpass machine auth cache

Really?  thank you for that. We are running 6.7.7, still hold true for that version? 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: