I’m trying to configure 802.1x machine+user authentication in wired Cisco network. I’m using ClearPass Policy Manager 6.8.3.110034.
In my 802.1x service I want Endpoint attribute to be set to true after machine is authenticated successfully.
If user is trying to authenticate than, “MachineAndUserAuthenticated-Role” role is applied if Endpoint attribute was set to true.
If “MachineAndUserAuthenticated-Role” role was applied after successful authentication, user is authorized to access VLAN2, if not user is authorized to access VLAN1.
This configuration is working well except one case. After a machine is authenticated successfully Endpoint is added to Endpoints repository and it has custom Endpoint attribute set to true. I have also set “Machine Authentication Cache Timeout” to one hour
I wanted to test if after one hour user will be authorized to access VLAN2 if machine authentication won’t be executed again. I expected it won’t be possible but user Is authorized to access VLAN2 no matter how long I’m waiting(1,2,3h…). To make sure that successful machine authentication won’t occur again I’m temporarily modifying a rule to make sure this won’t be matched.
After I manually delete endpoint from repository it is working as expected – endpoint attribute is not being set to true after machine authentication and user is authorized to access VLAN1 only.
I made this configuration based on some examples found on forum. I thought Endpoint attribute will be cleared after “Machine Authentication Cache Timeout” will pass but maybe I didn’t understand the concept. Can someone tell me how to make this configuration to make sure that user won’t be authorized to access VLAN2 if “Machine Authentication Cache Timeout” was passed and machine wasn’t authenticated again?