Security

We are running to 6.4.7 Clearpass VMs with 10k policy manager licensees (2291 being used) and 50 enterprise licenses for guest access ( 4 of which are being used).

Just found out our Subscription ID is expired. We are having an issue with guest users getting invalid username and password errors after completing guest registration.

Nothing has changed and our licenses are ok as well.

My question is does the subscription ID affect the guest access function? Does guest access quit working when the subscription is expired?

The subscription ID only pertains to updates. You should check Access Tracker to find out why the guest authentications are failing.

It just says unknown even after successfully signing up for a Guest account and trying to login.

It worked perfectly fine up until the last month or so. Which was when our subscription ended roughly

we had several instances were the subscription was expired and it never affected auths.

something seems pretty wrong looking at those messages, open a TAC case if you can, which might be tricky if your support expired.

After digging further heres what Ive found out

It passes authentication if you change the email address, which is what we use for usernames.

I tried 2 different email addresses. The one at yahoo worked, my work email did not. (see screenshot)

This also seems to be happening only on Apple devices.

Android and Windows appear to function just fine.

I have cleared the cache on clearpass thinking this would help but still have issues with work email being used as a username, personal email passes authentication

Well when using personal email address it updates the endpoint and passes authentication.

When I use work email address it gives error code 206, sometimes 216 denied by policy.

We are using MAC caching.

I attached our service rules.

it used to work fine with work email addresses or personal addresses. Now it is rejecting them for some unknown reason.

I even increased the number of unique devices able to connect, deleted all cached sources, deleted all guest account and still having issues.

We never had to use a qualified username in the past and it just worked.

We created an AD group to allow service desk staff to login without creating a full account to register mobile devices with Airwatch. Thats why it looks to AD

It's likely because your auth source is using sAMAcccountName which will not match UPN.

Duplicate your AD auth source and change the authentication filter to this:

(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))

Add that to your web login service and see if it works for you.

We can't use strip username rules in this case becaues of the guest emails.