Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MAC User ID Account created at the Guest page expired still able to connect to the Netwrok

This thread has been viewed 0 times

  • 1.  MAC User ID Account created at the Guest page expired still able to connect to the Netwrok

    Posted Jul 08, 2013 11:57 PM

    Hi I'm doing a test for MAB in which the source of Authorization is the Guest operator registration page.

     

    I  key-in mac-address  PC in Guest registration page. I noticed when the account expired:

    - tried by manually for the account to expire (at guest operator page, change expiration of the guest device to -> now)

    - tried by set the expiration account to -> 1 hour later.

     

    And tried both above and the device still able to connect using MAB by clearpass, even tough the account already expired.  Is there any additional setting  needed to set to reject the connection

    After the account expired?



  • 2.  RE: MAC User ID Account created at the Guest page expired still able to connect to the Netwrok

    EMPLOYEE
    Posted Jul 09, 2013 12:29 AM

    Is the user still authenticated on the controller?  The "aaa user delete" command is useful for making sure that the account is not still authenticated to the controller.

     

    If the account is not authenticated on the controller, then Access Tracker is useful for figuring out what service is authenticating it.

     

     



  • 3.  RE: MAC User ID Account created at the Guest page expired still able to connect to the Netwrok

    Posted Jul 09, 2013 03:54 AM

    Hi dancomfort, thanks for the reply

     

    I am doing MAB test for wired network. and the authorizaiton source is Guest Device repository.

    The PC MAC was created in the Clearpass Guest portal to allow the PC to access the LAN network. When manually set the account to expire but the clearpass still allow the PC to connect to the network.

     

    Thanks 



  • 4.  RE: MAC User ID Account created at the Guest page expired still able to connect to the Netwrok

    EMPLOYEE
    Posted Jul 09, 2013 04:15 AM
    Can you post screen shots of the the service, roles and enforcement you are using? From the information you posted it's hard to figure out where the break is.

    You say your using guest as an authorization but how are you using it. If its just an authorization with no triggers then we are just looking to see if there is the user in the guest database.


  • 5.  RE: MAC User ID Account created at the Guest page expired still able to connect to the Netwrok

    Posted Jul 09, 2013 11:49 AM
      |   view attached

    Hi Troy, Thank you for response.

     

    Sorry for late reply.

    Service: Mac authentication Bypass

    Authentication Method: [Allow All MAC AUTH]

    Authentication Source: [Guest Device Repository][Local SQL DB]

     

    Authorization Source : [Guest Device Repository][Local SQL DB]

    Attributes Fetched From:[Guest Device Repository][Local SQL DB]

     

    Role maping:

    (GuestUser: [Role ID] EQUALS 1)                     [Contractor]   

     

    Enforcement

    (TIPS: Role EQUALS [Contractor])AND(Tips:Posture EQUALS HEALTHY(0))                    Downloadable ACL Access

     

    Guest Portal page to create device (Please see attached Untitled.jpg)


    In the CPPM> Identity > Guest user . the account is already expired but still able to connect to ping the ACL defined in the enforcement profiles.

     

    Thanks and regards

     

     



  • 6.  RE: MAC User ID Account created at the Guest page expired still able to connect to the Netwrok
    Best Answer

    Posted Jul 10, 2013 08:28 AM

    Changing the Authentication Method: "Mac Auth" solve the issue. Mac Auth by default  will deny " unknown" device and look the information at Authontication source.