Security

Reply
Contributor I

No Enforcement Profile given in ClearPass

We are in the beginning of a ClearPass rollout, with HP 3800's as our access layer. We have a MAC list for phones, and those are working via mac-based auth. Right now there is a pilot of one port - mine - using ClearPass. My laptop is plugged into the back of the phone, and although I get online and placed in the correct vlan, there is no actual enforcement profile given in the Access Tracker. I am also seeing this in the logs:

 

2016-05-06 13:37:26,721[RequestHandler-1-0x7fddcf5fa700 h=5059398 c=R00025174-01-572ce466] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
2016-05-06 13:37:26,722[RequestHandler-1-0x7fddcf5fa700 r=R00025174-01-572ce466 h=5059397 c=R00025174-01-572ce466] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
2016-05-06 13:37:26,722[AuthReqThreadPool-10-0x7fde4cf44700 r=R00025174-01-572ce466 h=42] ERROR ExtDB.DBQuery - ResultSet is empty
2016-05-06 13:37:26,722[AuthReqThreadPool-10-0x7fde4cf44700 r=R00025174-01-572ce466 h=42] ERROR ExtDB.DBQuery - Failed to get value for attributes=Owner]

Any ideas what might be going on there? the only thing I could find on this site was to verify that the Insight Repository was an authorization source in the service, and it is.

 

TIA,

 

Russell

Guru Elite

Re: No Enforcement Profile given in ClearPass

Can you post a screenshot of the expanded output tab? 

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: No Enforcement Profile given in ClearPass

Sure thing. Just in case, here is also the relevant HP switch portion of the config:

 

aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system start-stop radius
aaa authentication login privilege-mode
aaa authentication console login tacacs local
aaa authentication console enable tacacs local
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local
aaa authentication port-access eap-radius
aaa port-access gvrp-vlans
aaa port-access authenticator 1/9
aaa port-access authenticator 1/9 quiet-period 5
aaa port-access authenticator 1/9 logoff-period 862400
aaa port-access authenticator 1/9 client-limit 5
aaa port-access authenticator active
aaa port-access mac-based 1/9
aaa port-access mac-based 1/9 addr-limit 5
aaa port-access mac-based 1/9 logoff-period 862400
aaa port-access mac-based 1/9 quiet-period 30
aaa port-access mac-based addr-format single-dash
aaa port-access 1/9 mixed

 

Thanks

Guru Elite

Re: No Enforcement Profile given in ClearPass

That looks like the web auth service handling the health check. You should also have a separate MAC auth servic. 

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: No Enforcement Profile given in ClearPass

it fails mac auth because only the phones are supposed to mac auth, but here it is failing the mac auth.

Guru Elite

Re: No Enforcement Profile given in ClearPass

Sorry, I'm not following. So the phone is being MAC authenticated and the laptop is doing 802.1X?


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: No Enforcement Profile given in ClearPass

That is correct

Guru Elite

Re: No Enforcement Profile given in ClearPass

What does the expanded output tab of the 802.1X request look like?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: No Enforcement Profile given in ClearPass

That was the first picture I attached.

 

Guru Elite

Re: No Enforcement Profile given in ClearPass

Please export the 802.1X access tracker request and post.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: