Security

Reply
Highlighted

mac authentication with clearpass

im trying to do someting really simple and is a mac authentication iwth clearpass

If the user has the mac on the endpoint repository with device type staff its good

if the endpoint does not have this devicetype staff, it would get the default policy which is deny access

i see on the clearpass that is doing what it should, if it has the device type it authenticating if he does not have it it give it the deny profile and rejecting it

But in the controller i see the user connect even if the clearpass send it a deny profile and i dont get whtas wrong on it.

On the controller is getting the initial role

Here is the service

isp1.PNGisp2.PNG

isp3.PNGisp4.PNG

isp5.PNG

 

----------------------------------------------------
Project engineer

Accepted Solutions
Highlighted
MVP Expert

Re: mac authentication with clearpass

Do you have a denyall role as an initial role ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

View solution in original post

Highlighted
Moderator

Re: mac authentication with clearpass

Rejected MAC authentications will drop the user to the initial role. Rejected authentications do not consume base licenses.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
MVP Expert

Re: mac authentication with clearpass

The user will need to have an ip to show up in the user table and the denyall is denying everything including DHCP

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

View solution in original post


All Replies
Highlighted
MVP Expert

Re: mac authentication with clearpass

Do you have a denyall role as an initial role ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

View solution in original post

Highlighted
Moderator

Re: mac authentication with clearpass

Also, be sure the role you're returning exists on the controller.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted

Re: mac authentication with clearpass

No, sobit takes the initial role if the clearpass deny it?
But i thoguht that it wil just reject him not assign it the initial role.

Does this consume a policy manager licence?? Even if it reject it? I understand that it only consume it if in clearpass the auth is successful
----------------------------------------------------
Project engineer
Highlighted
Moderator

Re: mac authentication with clearpass

Rejected MAC authentications will drop the user to the initial role. Rejected authentications do not consume base licenses.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted

Re: mac authentication with clearpass

Thanks Tim, Victor, i just didnt know that it took the initial role when the user was rejected by clearpass.  I though that the controller will just not let him connect...

Anyways when i put the denyall role it wont let him connect anyways... i though i would see it on the user table with deny role but is not like that either.. now those pcs are not able to connect

Thank you again!

----------------------------------------------------
Project engineer
Highlighted
MVP Expert

Re: mac authentication with clearpass

The user will need to have an ip to show up in the user table and the denyall is denying everything including DHCP

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

View solution in original post

Highlighted

Re: mac authentication with clearpass

true that

That was a silly question....

Cheers

Carlos

----------------------------------------------------
Project engineer
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: