Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass - Failed to get value for attributes=[Hostname]

This thread has been viewed 40 times

  • 1.  Clearpass - Failed to get value for attributes=[Hostname]

    Posted Jun 29, 2022 04:22 AM

    Hello there!

    We are currently moving all our Access Points from a Mobility Controller without Clearpass to another one with Clearpass Policy Manager.

    Now we are facing a problem, that some clients can not connect to the SSID ".._Enterprise".

    One rule for the Role-Mapping is asking for the hostname:


    VLAN will be applied through enforcement policy.

    Now we having an issues that some clients doesn't submit their Hostname to the clearpass:


    It seems that these clients can not be profiled correctly.

    In most other cases the same Service works fine and the clients can connect to the SSID.

    All Core-Switches of the locations got their ip-helper address in the corresponding VLANs

    Authorization Source is the Endpoint Repository.

    Now we are wondering what the problem could be. Is it a configuration problem?

    Maybe someone got some helpful ideas, where to check anything.

    Regards,



  • 2.  RE: Clearpass - Failed to get value for attributes=[Hostname]

    Posted Jun 29, 2022 10:54 AM
    This is a chicken+egg scenario.  How will client do DHCP if they can't join the wireless network?  Why are you using endpoint-hostname?  What is your EAP-Type?
    Original Message


  • 3.  RE: Clearpass - Failed to get value for attributes=[Hostname]

    Posted Jul 01, 2022 10:45 PM
    First, you cannot expect an end-device to send hostname value if the end-device hasn't passed the authentication.

    Second, I will always avoid putting Hostname as attribute to check against, because hostnames are unpredictable, right ?

    So, better you use these kinds of authz attributes:


    Original Message


  • 4.  RE: Clearpass - Failed to get value for attributes=[Hostname]

    Posted Jul 01, 2022 10:51 PM
    And, note that, those attributes won't be available for use until it has passed the authentication first. (obviously, right, because they are authz (authorization), not authc (authentication) attributes)

    You may need to check :
    - what you assign as the enforcement profile, check if you configure the dACL correctly (if any);
    - the end-device, is it initiating any traffic prior to authentication (check from the switch);
    - the SSID configuration in the WLC or any standalone AP, is it configured correctly to accommodate the authentication you want ?;
    - When you said "In most other cases the same Service works fine and the clients can connect to the SSID." , are the other Service the same device as the problematic one ?
    Original Message