Wireless Access

Reply
Occasional Contributor II

Clearpass 802.1X User Auth plus MAC Authz

Read a few topics here and still not quite able to get what I need working.

 

I have Clearpass joined to AD and an 802.1X network authenticating via AD just fine.

 

I have a mac_create.php portal where I can register a device and assign a role. Device goes into the Managed Devices. If I Mac auth this device the authorization attributes come through.

 

What I'm trying to get to happen is a VLAN or role specification based on, I don't really care who the user who authenticates is, as long as they authenticate successfully, but then check the connecting device's MAC Address against the device repository for the device's appropriate role.

 

I get a successful 802.1X user authentication but access tracker never shows the device's authz attributes, I assume because i'm authenticating a user not the device. Not really sure where I'm going wrong.

 

I've tried using both AD and the guest device repository as authentication sources, but having the guest device repository in there seems to break my user auth, and having guest user, or guest device, or any of thsoe in authorization, again, i'm not pulling the device's authorization info during the auth.

 

This is in an MM Based AOS 8 environment.

 

Please help

MVP Expert

Re: Clearpass 802.1X User Auth plus MAC Authz

Did you add the guest device repository as an authorization source ?

Can you share your role mapping rules and enforcement policies?



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Clearpass 802.1X User Auth plus MAC Authz

Yes I've added Guest Device Repo as both authen and as authorization separately.

 

See attached images; under the access tracker under input, the guest device repository does not show attributes

 

 

 

Highlighted
MVP Expert

Re: Clearpass 802.1X User Auth plus MAC Authz

Change your role mapping to use [Guest Device Repository] = Role ID = “role id” = “Tips role” instead of GuestUser



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Clearpass 802.1X User Auth plus MAC Authz

I could've sworn I'd tried that. I'm wondering, though, why the information would not have shown up in access tracker under input having had the guest device repository listed? I would have thought I would have at least seen potential authorization information that I could've gleaned appropriate config parameters from. Is that incorrect?

MVP Expert

Re: Clearpass 802.1X User Auth plus MAC Authz

The [Guest Roles] role mapping should be (GuestUser:Role ID  EQUALS  "role id") but when you define it in your 802.1X role mapping , you will need to use (Authorization:[Guest Device Repository]:Device Role ID  EQUALS  "role id")

 

See below :

2019-12-12 20_43_56-ClearPass Policy Manager - Aruba Networks.png2019-12-12 20_51_57-ClearPass Policy Manager - Aruba Networks.png2019-12-12 20_44_48-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: