Security

Hey Team!

I am trying to deploy a solution of wired 802.1x with my aruba clearpass 6.9.7. I am not being able to cache the role assigned by the first machine authentication, when I am authenticating as user. I really need to keep the role linked with the endpoint at least until the user authentication.

I have checked the checkbox "Use cached Roles and Posture attributes from previous sessions" , but it keeps not saving the role. I tried to extend the option behind cluster wide parameter "Policy result cache timeout" to 15 minutes without result.

Does I have to do anything special in the role mapping side? How could I keep saved the role?

Thanks!

------------------------------
Unai Abrisqueta
------------------------------

Do you see [Machine Authenticated] as role after the computer authentication?

You should not do anything to keep the [Machine Authenticated] role cached. In the subsequent user authentication you should see both [User Authenticated] and [Machine Authenticated] under the roles in Access Tracker.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Apr 21, 2022 08:39 AM
From: Unai Abrisqueta
Subject: Wired 802.1x service not working as expected

Hey Team!

I am trying to deploy a solution of wired 802.1x with my aruba clearpass 6.9.7. I am not being able to cache the role assigned by the first machine authentication, when I am authenticating as user. I really need to keep the role linked with the endpoint at least until the user authentication.

I have checked the checkbox "Use cached Roles and Posture attributes from previous sessions" , but it keeps not saving the role. I tried to extend the option behind cluster wide parameter "Policy result cache timeout" to 15 minutes without result.

Does I have to do anything special in the role mapping side? How could I keep saved the role?

Thanks!

------------------------------
Unai Abrisqueta
------------------------------

Hi herman,

I see both roles cached, the problem is that I don't see my custom role being cached although the role is assigned to the endpoint in the machine authentication, which takes place first.

------------------------------
Unai Abrisqueta
------------------------------

Original Message:
Sent: May 05, 2022 09:37 AM
From: Herman Robers
Subject: Wired 802.1x service not working as expected

Do you see [Machine Authenticated] as role after the computer authentication?

You should not do anything to keep the [Machine Authenticated] role cached. In the subsequent user authentication you should see both [User Authenticated] and [Machine Authenticated] under the roles in Access Tracker.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Apr 21, 2022 08:39 AM
From: Unai Abrisqueta
Subject: Wired 802.1x service not working as expected

Hey Team!

I am trying to deploy a solution of wired 802.1x with my aruba clearpass 6.9.7. I am not being able to cache the role assigned by the first machine authentication, when I am authenticating as user. I really need to keep the role linked with the endpoint at least until the user authentication.

I have checked the checkbox "Use cached Roles and Posture attributes from previous sessions" , but it keeps not saving the role. I tried to extend the option behind cluster wide parameter "Policy result cache timeout" to 15 minutes without result.

Does I have to do anything special in the role mapping side? How could I keep saved the role?

Thanks!

------------------------------
Unai Abrisqueta
------------------------------

The roles assigned by the system such as Machine authenticated and user authenticated are cached, but I am not able to force the clearpass to cache my custom role. Is there any way to do it?

------------------------------
Unai Abrisqueta
------------------------------

Original Message:
Sent: May 05, 2022 09:37 AM
From: Herman Robers
Subject: Wired 802.1x service not working as expected

Do you see [Machine Authenticated] as role after the computer authentication?

You should not do anything to keep the [Machine Authenticated] role cached. In the subsequent user authentication you should see both [User Authenticated] and [Machine Authenticated] under the roles in Access Tracker.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Apr 21, 2022 08:39 AM
From: Unai Abrisqueta
Subject: Wired 802.1x service not working as expected

Hey Team!

I am trying to deploy a solution of wired 802.1x with my aruba clearpass 6.9.7. I am not being able to cache the role assigned by the first machine authentication, when I am authenticating as user. I really need to keep the role linked with the endpoint at least until the user authentication.

I have checked the checkbox "Use cached Roles and Posture attributes from previous sessions" , but it keeps not saving the role. I tried to extend the option behind cluster wide parameter "Policy result cache timeout" to 15 minutes without result.

Does I have to do anything special in the role mapping side? How could I keep saved the role?

Thanks!

------------------------------
Unai Abrisqueta
------------------------------

Caching of your own roles is achieved with the tickbox: "Use cached Roles and Posture attributes from previous sessions" that is in the Enforcement tab of your service.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: May 09, 2022 04:51 AM
From: Unai Abrisqueta
Subject: Wired 802.1x service not working as expected

The roles assigned by the system such as Machine authenticated and user authenticated are cached, but I am not able to force the clearpass to cache my custom role. Is there any way to do it?

------------------------------
Unai Abrisqueta

Original Message:
Sent: May 05, 2022 09:37 AM
From: Herman Robers
Subject: Wired 802.1x service not working as expected

Do you see [Machine Authenticated] as role after the computer authentication?

You should not do anything to keep the [Machine Authenticated] role cached. In the subsequent user authentication you should see both [User Authenticated] and [Machine Authenticated] under the roles in Access Tracker.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Apr 21, 2022 08:39 AM
From: Unai Abrisqueta
Subject: Wired 802.1x service not working as expected

Hey Team!

I am trying to deploy a solution of wired 802.1x with my aruba clearpass 6.9.7. I am not being able to cache the role assigned by the first machine authentication, when I am authenticating as user. I really need to keep the role linked with the endpoint at least until the user authentication.

I have checked the checkbox "Use cached Roles and Posture attributes from previous sessions" , but it keeps not saving the role. I tried to extend the option behind cluster wide parameter "Policy result cache timeout" to 15 minutes without result.

Does I have to do anything special in the role mapping side? How could I keep saved the role?

Thanks!

------------------------------
Unai Abrisqueta
------------------------------

Either you have to deploy EAP-TEAP,

or

1. create a new Endpoint attribute to flag infinitely the MAC address who has passed [Machine authenticated] once

2. assign the flag via enforcement profile
3. use reauthentication / coa and use authorization:endpointrepository:flag=true

------------------------------

------------------------------

Original Message:
Sent: Apr 21, 2022 08:39 AM
From: Unai Abrisqueta
Subject: Wired 802.1x service not working as expected

Hey Team!

I am trying to deploy a solution of wired 802.1x with my aruba clearpass 6.9.7. I am not being able to cache the role assigned by the first machine authentication, when I am authenticating as user. I really need to keep the role linked with the endpoint at least until the user authentication.

I have checked the checkbox "Use cached Roles and Posture attributes from previous sessions" , but it keeps not saving the role. I tried to extend the option behind cluster wide parameter "Policy result cache timeout" to 15 minutes without result.

Does I have to do anything special in the role mapping side? How could I keep saved the role?

Thanks!

------------------------------
Unai Abrisqueta
------------------------------

I guess that it should be a way to do it without creating a dumb attribute. It is strange to me seeing that CP is able to cache system generated roles and not the custom roles.

------------------------------
Unai Abrisqueta
------------------------------

Original Message:
Sent: May 06, 2022 11:11 PM
From: BERNHARD HUSTOMO
Subject: Wired 802.1x service not working as expected

Either you have to deploy EAP-TEAP,

or

1. create a new Endpoint attribute to flag infinitely the MAC address who has passed [Machine authenticated] once

2. assign the flag via enforcement profile
3. use reauthentication / coa and use authorization:endpointrepository:flag=true

------------------------------


Original Message:
Sent: Apr 21, 2022 08:39 AM
From: Unai Abrisqueta
Subject: Wired 802.1x service not working as expected

Hey Team!

I am trying to deploy a solution of wired 802.1x with my aruba clearpass 6.9.7. I am not being able to cache the role assigned by the first machine authentication, when I am authenticating as user. I really need to keep the role linked with the endpoint at least until the user authentication.

I have checked the checkbox "Use cached Roles and Posture attributes from previous sessions" , but it keeps not saving the role. I tried to extend the option behind cluster wide parameter "Policy result cache timeout" to 15 minutes without result.

Does I have to do anything special in the role mapping side? How could I keep saved the role?

Thanks!

------------------------------
Unai Abrisqueta
------------------------------