This message is ideally for Herman Robers, but at this point, I am open for anyone to answer. Referencing his workshop series ( https://community.arubanetworks.com/t5/Security/Aruba-ClearPass-Workshop-Video-series/td-p/291597 ) I am struggling and trying to figure out what I am doing wrong. I have in my head that when a MAC Auth takes place, including using the Wizard of setting things up, if you fail mac auth or get a reject, the next logical step would be to push the endpoint/user/guest etc, to your clearpass portal.
I have reset my configs so many times, I have no idea what rev I'm trying (enter definition of insanity :) ).
Here's the big picture in what I am trying to do... I have the controller set the role the end device gets, based on the SSID they connect to. I then am thinking this role carries over into clearpass, where you can set the requirements/criteria up so if you get a "preauth" role, and you're connected to an SSID say Test1, you will go to mac auth. If you don't exist in the DB, then you should be directed to sign up etc via Captive portal.
By following the guest section, and the roles via the workshop series, I believe I have everything setup correctly...however, according to the wizard, Guest authentication with mac caching, I'm missing something.
Herman, I am blown away by your videos and how awesome they are in comparison to other versions out there. Is there anyway you can revist this work shop series and do one for a controller (instead of an instant AP) that fits my scenerio perhaps? I'm questioning my auth sources, if they are accurate or not, or if I am using the correct DB(s).
I am using 6.7 code with the latest patch...
Is there a flow chart of how this all works for the radius authentication?
Again, hats off to the workshop series... impressive...thank you!
This is a copy of my error message:
Error Code: | 216 |
Error Category: | Authentication failure |
Error Message: | User authentication failed |
Alerts for this Request Policy server | Failed to construct filter=SELECT CASE WHEN expire_time is null or expire_time > now() THEN 'false' ELSE 'true' END AS is_expired, CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')). Failed to get value for attributes=[AccountEnabled, AccountExpired] | RADIUS | [Endpoints Repository] - localhost: User not found. [Guest Device Repository] - localhost: User not found. [Insight Repository] - 10.172.1.10: User not found. MAC-AUTH: MAC Authentication attempted by unknown client, rejected. |
|