Hello,
I am encountering a strange issue with a client. Figured I would post here to try and find out from others if I'm breaking any best practice rules before taking this to TAC.
My client makes fairly heavy use of Guest device MAC authentication in their deployment. It's a convention centre, so for events some of the guests will bring their own router, etc. to plug into the network and then connect to that. Convention centre staff are trained on adding the mac address to Guest, and selecting the appropriate guest role (6 different roles, varying dACLs that set rate limits on the ports.)
CPPM 6.5.6
Role mapping policy contains statements to assign proper guest role:
GuestUser:Role ID --> equals --> <num> --> <role>
This works great, however when I try to add statements into the role mapping policy to check the account status (disabled, not expired), I get errors like this on the alerts tab in Access Tracker:
Example of additional statement in role mapping policy:
Authorization:Guest User Repository --> AccountEnabled --> EQUALS --> true
Authorization:Guest User Repository --> AccountExpired --> EQUALS --> false
Output from access tracker in alerts tab:
Failed to construct filter=SELECT
CASE WHEN expire_time is null or expire_time > now() THEN 'false'
ELSE 'true'
END AS is_expired,
CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled
FROM tips_guest_users
WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')).
Failed to get value for attributes=[AccountEnabled]
I've attemped to also put these checks in the enforcement policy, but encounter the same results.
My MAC auth service has the following authentication sources (in order):
[Guest Device Repository]
[Guest User Repository]
[Endpoints Repository]
[some static host lists for internal devices]
Authorization sources (in order):
[Guest Device]
[Guest User]
[Endpoints]
[Insight]
[Time Source]
Here's the weird part. Sometimes it works, often it does not. It will especially fail if I make any changes to the guest device account (switch role, etc.).
I've been told by the network administrator that if he reboots the subscriber node from the cluster (the node handling all the auth requests), it will work again, for a time. Eventually though, role derivation will once again fail, and all the devices attempting to authenticate from the guest device list will instead receive the default wired captive portal profile.
I'm going to try to reproduce this on my lab at home tonight, but I'm very perplexed by this. I haven't been able to reliably reproduce the issue on site (copying the service/role policies/enforcement policies), and assigning a network switch into a select group that will only authenticate on the copied service).
Should I be enabling post authentication policies to update the attributes in the endpoint database? Is this normal? Those authorization calls to the guest user repository are the same ones used in the MAC caching templates as well. Would upgrading to 6.6 solve this? I looked over release notes for fixes and can't find anything relating to it.
Sorry if I've missed details. Typed this in a hurry. If anyone has any ideas please let me know.
thanks