Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

No Access tracker entry / Captive portal authentication,

This thread has been viewed 1 times

  • 1.  No Access tracker entry / Captive portal authentication,

    Posted Apr 14, 2019 01:37 PM

    Hello Folks, 

    I'm running into an odd issue, 

    in my guest WiFi environment, I have users to self-register through Clearpass captive portal and get access for 1 day, 

     I have daily different 200 to 250 connected fine with the normal scenario: users get access for 24 hours and then after time expiry account get deleted from Guest DB and a CoA sent to the controller to disconnect the user from the network.

     

    along with that, I have few random users (about 20 users) with the following issue: account gets expired after 24 hours BUT NOT DELETED from Guest DB. 

    focusing on these affected accounts, I found no access tracker entries using the filter "username = <user registration email>" 

     

    Please note working and non-working users are connected through same SSID same controller same network segment, 

     

    Please advise, 

     



  • 2.  RE: No Access tracker entry / Captive portal authentication,

    Posted Apr 14, 2019 01:53 PM

    ClearPass Guest will delete a guest account based on the do_expire value in the account.

     

    By default this is set to 1.

     

    Below a list what the do_expire value are:

     

    4 | Delete and logout at specified time
    3 | Delete at specified time
    2 | Disable and logout at specified time
    1 | Disable at specified time

     

    You can set the global action the Guest Manager (Guest > Configuration > Guest Manager).

    It's also possible to set the do_expire value during the createn of a account. This can be a hidden value in the form or a drop down list if you want.

     

    You can check this value for a account what is not deleted. This can be done with the 'show details' option in the Manage Accounts menu.



  • 3.  RE: No Access tracker entry / Captive portal authentication,

    Posted Apr 14, 2019 01:58 PM

    "Show details" for the account that get not deleted from DB showing do_expire = 4 witches mean "Delete and log out at specified time"

     

    As I mentioned, as I have a lot of working users, I'm sure that configuration is safe, 

     

    any other thing to check?

     

    regards,

    thanks,



  • 4.  RE: No Access tracker entry / Captive portal authentication,

    Posted Apr 14, 2019 02:09 PM
    Mmm weird.
    Can you check the Application Log in ClearPass Guest? All the delete/create actions (and errors) are logged over there.

    You mentioned a small number of accounts with issues. Are this recently created accounts? Maybe you can try to change the do_expire value to a different value and then back to 4. Maybe it will trigger something.


  • 5.  RE: No Access tracker entry / Captive portal authentication,

    Posted Apr 14, 2019 02:25 PM

    Few users with issue appear every day,  

    I m triggering this issue for a couple of weeks ago, and every time I need to cleanup Guest DB manually from the affected account.



  • 6.  RE: No Access tracker entry / Captive portal authentication,

    Posted Apr 14, 2019 02:47 PM
    What version are you running?
    The following issue has been fixed in version 6.7.7

    Expired guest accounts were not immediately deleted at an expiration event or in accordance with the do-expire profile.

    If you already run version 6.7.7 or later, I will advise you to open a support case


  • 7.  RE: No Access tracker entry / Captive portal authentication,

    Posted Apr 14, 2019 02:50 PM

    I'm running 6.7.9 

     

    thank you for all of your feedbacks.