Security

I am having devices that all of a sudden will not use NAC and it is under one of two conditions.

1. If the device has more than one certificate and one of them is not a client auth or doesn't have email as the subject name or

2. The device has two client auth certificates and one of them is expired.

 

In both cases there was not an issue for several weeks and then all of a sudden the device stops working.

What operating system? The client selects the certificate, ClearPass just looks at it.

Does it reach Clearpass ? If yes, what is the output of this MAC in the access tracker. 

 

If it doesn't you might want to look at 802.1X debugging on the controller which you can find in this document under the 802.1X section : http://community.arubanetworks.com/aruba/attachments/aruba/84/106/1/Troubleshooting+Cheat+Sheet-.pdf

 

 

 

The clients are Windows 7

Yes I understand that the client selects but if the computer has an old Computer Template Certificate all of a sudden clearpass will try and authenticate using that certificate instead of rejecting it and asking for another.  Other uses of certificates don't behave this way they understand a particular certificate is expired and asks for another one.

This isn't a Clearpass specific issue, there is no way for a RADIUS server to achieve this. The RADIUS server will send an access-reject packet since the cert is expired. You will need to work with this issue straight from the CA and AD cert enrollments.

Can you post a screenshot of the authorization and computed sections of the access tracker request?