Security

Hello Everyone,

I have a service in my CPPM for mac based VLAN allocation. It is accepting requests from users connected to a specific switch and telling them which vlan they are depending on some attributes like 'OS Family', etc.

This was working perfectly a few weeks ago, but not anymore since I am trying to re-do some tests this morning. I installed the cumulative patch 2 yesterday.

The difference I can see when I compare the requests which were working and the ones wich not in access tracker is the 'Authentication Source'. It is now 'None' and was 'Local:Localhost' before.

Also, I don't have any authorization attributes anymore in the request despite the fact that the endpoint has been profiled.

Hope you can help me.

Thanks in advance,

- nice2k

You need to add an authentication source to your service.  The Endpoints repository?  You also might want to open up a case to determine why the patch changed things.

Hello,

Thanks for your answer.

I already have the Endpoints Repository as an Authentication source. I also tried to recreate the service without success...

Does the Access tracker say that it is still being handled by the same service?

Yes, here are some screen captures.

It looks like it is sending back the VLAN 13 enforcement profile.  What is in that enforcement profile?

Yes, it is an enforcement profile just to put the user in the vlan 13. I have one for each vlan and this one is the default profile.

My enforcement policy says : If this user is os OS Family, put it in the vlan 10.

It is putting the user in the vlan 13 because it's the default enforcement profile (he can't find the OS Family attribute, I don't see the authorization attributes anymore in the computed attributes) 

Well,

Does an OS family exist for that endpoint in the Endpoints repository?  If the device does not exist or it does not have an OS family, that attribute will not show up or be keyed on.  If it is a new device and it has never sent DHCP information to CPPM, it would not be aware of the OS family, because it does not have that information.

Yes, the device has been profiled and has the attribute OS Family...

Please open up a support case.  That is all that you are supposed to do.

Okay, thanks for your help.

Okay, I restored the configuration from a 1 week old backup and it worked.

- nice2k

Was it any different that you could tell?

Don't think so... At least the service and Policy. The only thing I suspect to be different is the selection of the vendor indication on the 'Device' entry.

I have a Cisco switch and I think it was on 'Aruba'. Not sure though.

- nice2k

Glad to hear it is solved.

Me too ! It's working perfectly now :)