Security

last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MAC Caching with deleted accounts

This thread has been viewed 0 times

  • 1.  MAC Caching with deleted accounts

    Posted Jul 17, 2014 06:38 PM

    Hoping someone here has seen this and can tell me what I might be missing.  We are setting up guest users to be granted access immediately (no sponsor approval), but send the sponsor an email with the option to reject the client.  This works and has been accomplished by changing the initial role of the “enabled” field in Forms & Views to 1.   The guest account becomes active while sending the sponsor email (as defined under the Guest Self-Registration).  What I am seeing is that the reject works correctly (CoA Back to the controller), user disconnected and the account is deleted from the guest user repository, but as soon as the client is disconnected, they are able to MAC cache with a deleted account.  Has anyone seen this or know what I need to do to stop this from happening?



  • 2.  RE: MAC Caching with deleted accounts

    EMPLOYEE
    Posted Jul 17, 2014 07:27 PM

    Add a rule at the top of your MAC cache service that uses the Guest-Check authorization source.

     

    Guest-MAC-Chec:UserNAME   NOT_EXSISTS              GUEST-REGISTRATION PROFILE



  • 3.  RE: MAC Caching with deleted accounts

    Posted Jul 21, 2014 03:58 PM

    Thanks Tim for pointing me in the correct direction.  In the newer version of CPPM, the service auto creates  the  MAC-Guest-Check:UserName EXITS in the enforcement policy, this is what was missing.