Security

Hello, I need to know how to limit caching of authentication attempts for certain user roles in Clearpass. I have a network where if the user is denied access, they are sent to a captive portal page which instructs them how to gain access. The problem is, once they gain access, they are not reauthing to the SSID, so they aren't getting their new role.

For example, the user connects at 10:30am and gets put into the unregistered role. They follow the steps to register their computer and try to connect again at 11:00am. They are still stuck in the unregistered role at that time. When I look at the access tracker, I have a log for the 10:30am auth, but nothing for the attempt at 11am. They will not get the new registered role until the reauth.

Any idea how I can make sure that every time a device tries to connect with a certain role, their authentications are not cached until they get a registered role?

Thanks for your help!

Are you sure this isn't the Mobility Controller caching the authentication attempt?  What if you manually clear the user from the CLI?
Original Message:
Sent: Aug 31, 2022 02:37 PM
From: Jessica Tait
Subject: Clearpass Caching Auths

Hello, I need to know how to limit caching of authentication attempts for certain user roles in Clearpass. I have a network where if the user is denied access, they are sent to a captive portal page which instructs them how to gain access. The problem is, once they gain access, they are not reauthing to the SSID, so they aren't getting their new role.

For example, the user connects at 10:30am and gets put into the unregistered role. They follow the steps to register their computer and try to connect again at 11:00am. They are still stuck in the unregistered role at that time. When I look at the access tracker, I have a log for the 10:30am auth, but nothing for the attempt at 11am. They will not get the new registered role until the reauth.

Any idea how I can make sure that every time a device tries to connect with a certain role, their authentications are not cached until they get a registered role?

Thanks for your help!

It's possible- any ideas where to look to see if the controller that's caching the authentication attempt?

I have only tried deleting it as an endpoint in Clearpass, although that would be an untenable solution as it applies to many users connecting to this SSID.
Original Message:
Sent: Aug 31, 2022 03:24 PM
From: Unknown User
Subject: Clearpass Caching Auths

Are you sure this isn't the Mobility Controller caching the authentication attempt?  What if you manually clear the user from the CLI?
Original Message:
Sent: Aug 31, 2022 02:37 PM
From: Jessica Tait
Subject: Clearpass Caching Auths

Hello, I need to know how to limit caching of authentication attempts for certain user roles in Clearpass. I have a network where if the user is denied access, they are sent to a captive portal page which instructs them how to gain access. The problem is, once they gain access, they are not reauthing to the SSID, so they aren't getting their new role.

For example, the user connects at 10:30am and gets put into the unregistered role. They follow the steps to register their computer and try to connect again at 11:00am. They are still stuck in the unregistered role at that time. When I look at the access tracker, I have a log for the 10:30am auth, but nothing for the attempt at 11am. They will not get the new registered role until the reauth.

Any idea how I can make sure that every time a device tries to connect with a certain role, their authentications are not cached until they get a registered role?

Thanks for your help!

1. Disconnect the device.
2. Issue "show users" from the MC CLI
3. Is the user still there?

Original Message:
Sent: Sep 01, 2022 09:37 AM
From: Jessica Tait
Subject: Clearpass Caching Auths

It's possible- any ideas where to look to see if the controller that's caching the authentication attempt?

I have only tried deleting it as an endpoint in Clearpass, although that would be an untenable solution as it applies to many users connecting to this SSID.
Original Message:
Sent: Aug 31, 2022 03:24 PM
From: Unknown User
Subject: Clearpass Caching Auths

Are you sure this isn't the Mobility Controller caching the authentication attempt?  What if you manually clear the user from the CLI?
Original Message:
Sent: Aug 31, 2022 02:37 PM
From: Jessica Tait
Subject: Clearpass Caching Auths

Hello, I need to know how to limit caching of authentication attempts for certain user roles in Clearpass. I have a network where if the user is denied access, they are sent to a captive portal page which instructs them how to gain access. The problem is, once they gain access, they are not reauthing to the SSID, so they aren't getting their new role.

For example, the user connects at 10:30am and gets put into the unregistered role. They follow the steps to register their computer and try to connect again at 11:00am. They are still stuck in the unregistered role at that time. When I look at the access tracker, I have a log for the 10:30am auth, but nothing for the attempt at 11am. They will not get the new registered role until the reauth.

Any idea how I can make sure that every time a device tries to connect with a certain role, their authentications are not cached until they get a registered role?

Thanks for your help!

What you can do is use a WebAuth captive portal login to trigger a Change-of-Authorization for the user, which disconnects the user from the network and forces a re-authentication.

What is the authentication on the SSID itself? Open/WPAx-PSK/WPAx-Enterprise?

Another option may be to return a very short 'IETF:Session-Timeout', like 60 or 120 (seconds), which triggers a reauthentication on the controller/AP.

If your question is still not answered, please share more information about your SSID configuration, Services created in ClearPass, where/how you administer the user roles, if that is done based on MAC address or user authentication, etc.. The workflow is important in this. If you don't want to share the workflow publicly, please contact your Aruba partner or Aruba support.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 31, 2022 02:37 PM
From: Jessica Tait
Subject: Clearpass Caching Auths

Hello, I need to know how to limit caching of authentication attempts for certain user roles in Clearpass. I have a network where if the user is denied access, they are sent to a captive portal page which instructs them how to gain access. The problem is, once they gain access, they are not reauthing to the SSID, so they aren't getting their new role.

For example, the user connects at 10:30am and gets put into the unregistered role. They follow the steps to register their computer and try to connect again at 11:00am. They are still stuck in the unregistered role at that time. When I look at the access tracker, I have a log for the 10:30am auth, but nothing for the attempt at 11am. They will not get the new registered role until the reauth.

Any idea how I can make sure that every time a device tries to connect with a certain role, their authentications are not cached until they get a registered role?

Thanks for your help!

I shouldn't have called it a captive portal page. It works the same way, but is just an IP subnet we put users in that can only get to a page that tells them the device is unregistered. Same function, but it is set up through my DHCP server.

I added an IETF:Session-Timeout of 60 seconds to the enforcement profile, but it doesn't appear to be working any differently.

The network is an Open SSID that uses mac authentication and static host lists to give devices access. If the device is in none of the static host lists, it gets put into a "black hole" subnet, which only allows the device to get to a page that says it is not registered. That's where many devices are getting stuck until they reauth. This is ok for devices that are registered, but for the devices that fail through to the unregistered subnet, they need to reauth every time they reconnect, if possible.

Hopefully that answers some of the work flow question, but if not, I can provide more specific details.

Thanks!

Original Message:
Sent: Sep 01, 2022 04:30 AM
From: Herman Robers
Subject: Clearpass Caching Auths

What you can do is use a WebAuth captive portal login to trigger a Change-of-Authorization for the user, which disconnects the user from the network and forces a re-authentication.

What is the authentication on the SSID itself? Open/WPAx-PSK/WPAx-Enterprise?

Another option may be to return a very short 'IETF:Session-Timeout', like 60 or 120 (seconds), which triggers a reauthentication on the controller/AP.

If your question is still not answered, please share more information about your SSID configuration, Services created in ClearPass, where/how you administer the user roles, if that is done based on MAC address or user authentication, etc.. The workflow is important in this. If you don't want to share the workflow publicly, please contact your Aruba partner or Aruba support.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2022 02:37 PM
From: Jessica Tait
Subject: Clearpass Caching Auths

Hello, I need to know how to limit caching of authentication attempts for certain user roles in Clearpass. I have a network where if the user is denied access, they are sent to a captive portal page which instructs them how to gain access. The problem is, once they gain access, they are not reauthing to the SSID, so they aren't getting their new role.

For example, the user connects at 10:30am and gets put into the unregistered role. They follow the steps to register their computer and try to connect again at 11:00am. They are still stuck in the unregistered role at that time. When I look at the access tracker, I have a log for the 10:30am auth, but nothing for the attempt at 11am. They will not get the new registered role until the reauth.

Any idea how I can make sure that every time a device tries to connect with a certain role, their authentications are not cached until they get a registered role?

Thanks for your help!

You could return a session-timeout value from ClearPass when an unregistered device connects.


------------------------------
ACNSA | ACEA | ACCP | ACMP
------------------------------

Original Message:
Sent: Sep 01, 2022 09:45 AM
From: Jessica Tait
Subject: Clearpass Caching Auths

I shouldn't have called it a captive portal page. It works the same way, but is just an IP subnet we put users in that can only get to a page that tells them the device is unregistered. Same function, but it is set up through my DHCP server.

I added an IETF:Session-Timeout of 60 seconds to the enforcement profile, but it doesn't appear to be working any differently.

The network is an Open SSID that uses mac authentication and static host lists to give devices access. If the device is in none of the static host lists, it gets put into a "black hole" subnet, which only allows the device to get to a page that says it is not registered. That's where many devices are getting stuck until they reauth. This is ok for devices that are registered, but for the devices that fail through to the unregistered subnet, they need to reauth every time they reconnect, if possible.

Hopefully that answers some of the work flow question, but if not, I can provide more specific details.

Thanks!

Original Message:
Sent: Sep 01, 2022 04:30 AM
From: Herman Robers
Subject: Clearpass Caching Auths

What you can do is use a WebAuth captive portal login to trigger a Change-of-Authorization for the user, which disconnects the user from the network and forces a re-authentication.

What is the authentication on the SSID itself? Open/WPAx-PSK/WPAx-Enterprise?

Another option may be to return a very short 'IETF:Session-Timeout', like 60 or 120 (seconds), which triggers a reauthentication on the controller/AP.

If your question is still not answered, please share more information about your SSID configuration, Services created in ClearPass, where/how you administer the user roles, if that is done based on MAC address or user authentication, etc.. The workflow is important in this. If you don't want to share the workflow publicly, please contact your Aruba partner or Aruba support.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 31, 2022 02:37 PM
From: Jessica Tait
Subject: Clearpass Caching Auths

Hello, I need to know how to limit caching of authentication attempts for certain user roles in Clearpass. I have a network where if the user is denied access, they are sent to a captive portal page which instructs them how to gain access. The problem is, once they gain access, they are not reauthing to the SSID, so they aren't getting their new role.

For example, the user connects at 10:30am and gets put into the unregistered role. They follow the steps to register their computer and try to connect again at 11:00am. They are still stuck in the unregistered role at that time. When I look at the access tracker, I have a log for the 10:30am auth, but nothing for the attempt at 11am. They will not get the new registered role until the reauth.

Any idea how I can make sure that every time a device tries to connect with a certain role, their authentications are not cached until they get a registered role?

Thanks for your help!