Security

im trying to do someting really simple and is a mac authentication iwth clearpass

If the user has the mac on the endpoint repository with device type staff its good

if the endpoint does not have this devicetype staff, it would get the default policy which is deny access

i see on the clearpass that is doing what it should, if it has the device type it authenticating if he does not have it it give it the deny profile and rejecting it

But in the controller i see the user connect even if the clearpass send it a deny profile and i dont get whtas wrong on it.

On the controller is getting the initial role

Here is the service

 

Do you have a denyall role as an initial role ?

Get Outlook for iOS

Also, be sure the role you're returning exists on the controller.

No, sobit takes the initial role if the clearpass deny it?
But i thoguht that it wil just reject him not assign it the initial role.

Does this consume a policy manager licence?? Even if it reject it? I understand that it only consume it if in clearpass the auth is successful

Rejected MAC authentications will drop the user to the initial role. Rejected authentications do not consume base licenses.

Thanks Tim, Victor, i just didnt know that it took the initial role when the user was rejected by clearpass.  I though that the controller will just not let him connect...

Anyways when i put the denyall role it wont let him connect anyways... i though i would see it on the user table with deny role but is not like that either.. now those pcs are not able to connect

Thank you again!

The user will need to have an ip to show up in the user table and the denyall is denying everything including DHCP

Get Outlook for iOS

true that

That was a silly question....

Cheers

Carlos