Security

We have an 802.1X Wireless Service that moves through two phases.

In Phase 1, any device with valid AD credentials is allowed on the network and has their status marked as known through post-auth enforcement.

In Phase 2, only "Known" devices with valid AD credentials are allowed on.

Occasionally in Phase 2 it seems we get an Access Reject where a device has used valid credentials. In Access Tracker, the Alerts tab shows something along the lines of "Failed to get value for attributes =[OS Family, Status]." It's as if ClearPass fails to read the device attributes from the endpoint database.

I can see a previous access tracker hit where the device is allowed on and marked known. The device has also been successfully profiled as a Windows machine through DHCP fingerprint. Endpoints is marked as an authorization source for the service.

Any explanation for why we sometimes don't pull attributes from the endpoint repository?

If i understood your setup correctly, are you trying to enforce Machine Authentication, as "Known" for phase 2?

If so, it is logical that it can work with a Windows machine, if the Windows machine was part of the domain. However, mobile devices can not be part of domain and therefor it can be rejected. 

Sorry, I could have been more clear. I was using Windows machines as an example device, not that we are doing Machine auth specifically.

We're just looking for any valid AD credentials and a Known status.

Known status is updated automatically through post-auth enforcement on one service.

On another service, we check to see if the device is marked as Known before allowing it on. It's sort of like a grandfathering process.

I'm trying to determine if ClearPass sometimes fails to update the device as known, or if ClearPass sometimes fails to read the endpoint database to get the Known attribute.

If you have condition in enforcement policy to update new associating device as known then it should update device as known in Endpoint repository.

Does the device which is not profiled as known hitting proper service and also seeing any difference in Windows device which is getting profiled as known ?

---

@Pavan Arshewar wrote:

If you have condition in enforcement policy to update new associating device as known then it should update device as known in Endpoint repository.

We have this, and all of my testing shows that it works.

However, occasionally I'll see devices that have hit the service which are not marked known.

For example, I was tracking one device by host MAC address in Access Tracker. I saw it authenticate successfully against one service and get marked known in the Output tab. Then a few days later, that same devices fails to authenticate against the new service because it is not marked known.

To Clarify - Service 1 is just 802.1X user credentials and marks successful auths as known. Service 2 requires known device with user credentials. It works for almost all devices, just occasionally see the issue where a device should have been marked as known, but it's not.

I'm trying to figure out if it's a bug or if there is some other mechanism within ClearPass that will unmark the Known flag. Perhaps a Reject or something is making Known devices Unknown?

We have clean-up intervals of 60 days for Known devices, but the time between successful auth and failed auth for being unknown is only a couple of days.