Security

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

I'm confused as to what you are doing.  Known vs Unknown is used by MAC auth and the endpoint database cleanup criteria.  The setting shouldn't have any impact for TEAP since you're using credentials with TLS or PEAP.  After you've successfully authenticated the device use an endpoint action to automatically mark the endpoint as known if that is what you need to do.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

Hello @chulcher

The problem is that the device is not authenticated properly as the dock has a different ethernet Mac address. That is conflicting with the existed one on Intune. 

I am going to work on the machine auth then since that is my only roadblock as of right now. 

I'm confused as to what you are doing.  Known vs Unknown is used by MAC auth and the endpoint database cleanup criteria.  The setting shouldn't have any impact for TEAP since you're using credentials with TLS or PEAP.  After you've successfully authenticated the device use an endpoint action to automatically mark the endpoint as known if that is what you need to do.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

Hello @jonas.hammarback

Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

Here are my enforcement and roles screenshots.

I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

You can see from the screenshot that second one is known and the first one is from the docking station. 

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

Is there something in the role mapping policy that is evaluating the endpoint status?  I see nothing in the enforcement policy.

Hello @jonas.hammarback

Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

Here are my enforcement and roles screenshots.

I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

You can see from the screenshot that second one is known and the first one is from the docking station. 

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

Hey @chulcher

I am in the role mapping policy that is evaluating the endpoint status. In the wired_teap_testing group, I am only putting the device name ocisse-dx15. 

I have tested another policy. Here is the screenshots.

In that case, only the machine should be authenticated. But Clearness is still rejecting me. Maybe I should find a way to auth all endpoints that has a hostname that I can find in intune. 

Is there something in the role mapping policy that is evaluating the endpoint status?  I see nothing in the enforcement policy.

Hello @jonas.hammarback

Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

Here are my enforcement and roles screenshots.

I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

You can see from the screenshot that second one is known and the first one is from the docking station. 

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

Not seeing anything that would make Known vs Unknown cause problems.  But if you are failing the session based on the device not being found in Intune, that could be the issue.

When the Intune extension was originally deployed we did a search based on the MAC address, which eventually wasn't good enough because of the reasons that you are running in to, the usage of temporary network connections or randomized MAC addresses.  The new versions of the extension should be doing the lookup of the device based on information from the certificate that is used as the 802.1X credentials.

Make sure you are using the latest version of the extension and have updated your policies to follow the new requirements.

https://arubanetworks.com/clearpassdocs

ClearPass - Microsoft Intune Technote

Hey @chulcher

I am in the role mapping policy that is evaluating the endpoint status. In the wired_teap_testing group, I am only putting the device name ocisse-dx15. 

I have tested another policy. Here is the screenshots.

In that case, only the machine should be authenticated. But Clearness is still rejecting me. Maybe I should find a way to auth all endpoints that has a hostname that I can find in intune. 

Is there something in the role mapping policy that is evaluating the endpoint status?  I see nothing in the enforcement policy.

Hello @jonas.hammarback

Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

Here are my enforcement and roles screenshots.

I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

You can see from the screenshot that second one is known and the first one is from the docking station. 

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

Hello @jonas.hammarback

Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

Here are my enforcement and roles screenshots.

I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

You can see from the screenshot that second one is known and the first one is from the docking station. 

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

Hi

From the screenshots of your policies I can't see anything related to the MAC addressen and they look OK as far as I can see.

One thing that came to my mind, if you check the Access Tracker for both the computer MAC address and the docking station MAC address, can you verify that the devices only hit the 802.1x service?

In the 802.1x sevrice, what authentication methods do you allow? EAP-TEAP should be the only authentication method in the service with your current role mapping and enforcement policies.

On the switch side, do you have a configuration performing MAC auth before the the 802.1x? In this case the docking station will first get a MAC authentication, probably with profiling, Slightly later the client will perform the 802.1x authentication, maybe this situation could cause issues. But it depends on how the switch prioritize between MAC authentication and 802.1x.

Hello @jonas.hammarback

Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

Here are my enforcement and roles screenshots.

I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

You can see from the screenshot that second one is known and the first one is from the docking station. 

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

Thanks @jonas.hammarback for your feedback. 

I have partially made it work. I have disabled auth requirement since every user is going to be on site.  

Now, my enforcement profiles are not working properly. Clearness is rejected me even though, I am machine auth. I am not sure why for now. 

I want to rely on enforcements for the rest of the configurations. 

Hi

From the screenshots of your policies I can't see anything related to the MAC addressen and they look OK as far as I can see.

One thing that came to my mind, if you check the Access Tracker for both the computer MAC address and the docking station MAC address, can you verify that the devices only hit the 802.1x service?

In the 802.1x sevrice, what authentication methods do you allow? EAP-TEAP should be the only authentication method in the service with your current role mapping and enforcement policies.

On the switch side, do you have a configuration performing MAC auth before the the 802.1x? In this case the docking station will first get a MAC authentication, probably with profiling, Slightly later the client will perform the 802.1x authentication, maybe this situation could cause issues. But it depends on how the switch prioritize between MAC authentication and 802.1x.

Hello @jonas.hammarback

Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

Here are my enforcement and roles screenshots.

I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

You can see from the screenshot that second one is known and the first one is from the docking station. 

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

What role(s), if any, are getting applied to the session?

Thanks @jonas.hammarback for your feedback. 

I have partially made it work. I have disabled auth requirement since every user is going to be on site.  

Now, my enforcement profiles are not working properly. Clearness is rejected me even though, I am machine auth. I am not sure why for now. 

I want to rely on enforcements for the rest of the configurations. 

Hi

From the screenshots of your policies I can't see anything related to the MAC addressen and they look OK as far as I can see.

One thing that came to my mind, if you check the Access Tracker for both the computer MAC address and the docking station MAC address, can you verify that the devices only hit the 802.1x service?

In the 802.1x sevrice, what authentication methods do you allow? EAP-TEAP should be the only authentication method in the service with your current role mapping and enforcement policies.

On the switch side, do you have a configuration performing MAC auth before the the 802.1x? In this case the docking station will first get a MAC authentication, probably with profiling, Slightly later the client will perform the 802.1x authentication, maybe this situation could cause issues. But it depends on how the switch prioritize between MAC authentication and 802.1x.

Hello @jonas.hammarback

Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

Here are my enforcement and roles screenshots.

I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

You can see from the screenshot that second one is known and the first one is from the docking station. 

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

@chulcher

So it is not getting any role when I sign out but when I log in it gets the appropriate role.

Thanks

What role(s), if any, are getting applied to the session?

Thanks @jonas.hammarback for your feedback. 

I have partially made it work. I have disabled auth requirement since every user is going to be on site.  

Now, my enforcement profiles are not working properly. Clearness is rejected me even though, I am machine auth. I am not sure why for now. 

I want to rely on enforcements for the rest of the configurations. 

Hi

From the screenshots of your policies I can't see anything related to the MAC addressen and they look OK as far as I can see.

One thing that came to my mind, if you check the Access Tracker for both the computer MAC address and the docking station MAC address, can you verify that the devices only hit the 802.1x service?

In the 802.1x sevrice, what authentication methods do you allow? EAP-TEAP should be the only authentication method in the service with your current role mapping and enforcement policies.

On the switch side, do you have a configuration performing MAC auth before the the 802.1x? In this case the docking station will first get a MAC authentication, probably with profiling, Slightly later the client will perform the 802.1x authentication, maybe this situation could cause issues. But it depends on how the switch prioritize between MAC authentication and 802.1x.

Hello @jonas.hammarback

Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

Here are my enforcement and roles screenshots.

I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

You can see from the screenshot that second one is known and the first one is from the docking station. 

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

If no roles are getting assigned when only method 1 is successful, then I'm not seeing an enforcement filter in your screenshots that matches those conditions, which would result in the default action taking place.

@chulcher

So it is not getting any role when I sign out but when I log in it gets the appropriate role.

Thanks

What role(s), if any, are getting applied to the session?

Thanks @jonas.hammarback for your feedback. 

I have partially made it work. I have disabled auth requirement since every user is going to be on site.  

Now, my enforcement profiles are not working properly. Clearness is rejected me even though, I am machine auth. I am not sure why for now. 

I want to rely on enforcements for the rest of the configurations. 

Hi

From the screenshots of your policies I can't see anything related to the MAC addressen and they look OK as far as I can see.

One thing that came to my mind, if you check the Access Tracker for both the computer MAC address and the docking station MAC address, can you verify that the devices only hit the 802.1x service?

In the 802.1x sevrice, what authentication methods do you allow? EAP-TEAP should be the only authentication method in the service with your current role mapping and enforcement policies.

On the switch side, do you have a configuration performing MAC auth before the the 802.1x? In this case the docking station will first get a MAC authentication, probably with profiling, Slightly later the client will perform the 802.1x authentication, maybe this situation could cause issues. But it depends on how the switch prioritize between MAC authentication and 802.1x.

Hello @jonas.hammarback

Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

Here are my enforcement and roles screenshots.

I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

You can see from the screenshot that second one is known and the first one is from the docking station. 

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

@chulcher My machine is in the Test_Teap_machine_auth role. When I log-in I hit the first one which is working but when I sign out, I should hit the second one. Correct?

Or I am going completely wrong about this.

If no roles are getting assigned when only method 1 is successful, then I'm not seeing an enforcement filter in your screenshots that matches those conditions, which would result in the default action taking place.

@chulcher

So it is not getting any role when I sign out but when I log in it gets the appropriate role.

Thanks

What role(s), if any, are getting applied to the session?

Thanks @jonas.hammarback for your feedback. 

I have partially made it work. I have disabled auth requirement since every user is going to be on site.  

Now, my enforcement profiles are not working properly. Clearness is rejected me even though, I am machine auth. I am not sure why for now. 

I want to rely on enforcements for the rest of the configurations. 

Hi

From the screenshots of your policies I can't see anything related to the MAC addressen and they look OK as far as I can see.

One thing that came to my mind, if you check the Access Tracker for both the computer MAC address and the docking station MAC address, can you verify that the devices only hit the 802.1x service?

In the 802.1x sevrice, what authentication methods do you allow? EAP-TEAP should be the only authentication method in the service with your current role mapping and enforcement policies.

On the switch side, do you have a configuration performing MAC auth before the the 802.1x? In this case the docking station will first get a MAC authentication, probably with profiling, Slightly later the client will perform the 802.1x authentication, maybe this situation could cause issues. But it depends on how the switch prioritize between MAC authentication and 802.1x.

Hello @jonas.hammarback

Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

Here are my enforcement and roles screenshots.

I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

You can see from the screenshot that second one is known and the first one is from the docking station. 

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

1. When the computer turns on and initially connects, there should be an entry in the access tracker.
2. When you login to the machine, there should be another entry in the access tracker.
3. When you log back out, there should be another entry in the access tracker.

Steps 1 and 3 should have the same result.  All three steps should be resulting in some role mapping happening.  You just said "not getting any role".  So, what roles are getting assessed and assigned to the sessions?

@chulcher My machine is in the Test_Teap_machine_auth role. When I log-in I hit the first one which is working but when I sign out, I should hit the second one. Correct?

Or I am going completely wrong about this.

If no roles are getting assigned when only method 1 is successful, then I'm not seeing an enforcement filter in your screenshots that matches those conditions, which would result in the default action taking place.

@chulcher

So it is not getting any role when I sign out but when I log in it gets the appropriate role.

Thanks

What role(s), if any, are getting applied to the session?

Thanks @jonas.hammarback for your feedback. 

I have partially made it work. I have disabled auth requirement since every user is going to be on site.  

Now, my enforcement profiles are not working properly. Clearness is rejected me even though, I am machine auth. I am not sure why for now. 

I want to rely on enforcements for the rest of the configurations. 

Hi

From the screenshots of your policies I can't see anything related to the MAC addressen and they look OK as far as I can see.

One thing that came to my mind, if you check the Access Tracker for both the computer MAC address and the docking station MAC address, can you verify that the devices only hit the 802.1x service?

In the 802.1x sevrice, what authentication methods do you allow? EAP-TEAP should be the only authentication method in the service with your current role mapping and enforcement policies.

On the switch side, do you have a configuration performing MAC auth before the the 802.1x? In this case the docking station will first get a MAC authentication, probably with profiling, Slightly later the client will perform the 802.1x authentication, maybe this situation could cause issues. But it depends on how the switch prioritize between MAC authentication and 802.1x.

Hello @jonas.hammarback

Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

Here are my enforcement and roles screenshots.

I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

You can see from the screenshot that second one is known and the first one is from the docking station. 

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks

@chulcher sorry about the confusion. 

Step 2 is that when it get Test_Teap-machine_auth

This is step 1 and 2. Clearpass is putting it into Other which has a policy to reject. 

1. When the computer turns on and initially connects, there should be an entry in the access tracker.
2. When you login to the machine, there should be another entry in the access tracker.
3. When you log back out, there should be another entry in the access tracker.

Steps 1 and 3 should have the same result.  All three steps should be resulting in some role mapping happening.  You just said "not getting any role".  So, what roles are getting assessed and assigned to the sessions?

@chulcher My machine is in the Test_Teap_machine_auth role. When I log-in I hit the first one which is working but when I sign out, I should hit the second one. Correct?

Or I am going completely wrong about this.

If no roles are getting assigned when only method 1 is successful, then I'm not seeing an enforcement filter in your screenshots that matches those conditions, which would result in the default action taking place.

@chulcher

So it is not getting any role when I sign out but when I log in it gets the appropriate role.

Thanks

What role(s), if any, are getting applied to the session?

Thanks @jonas.hammarback for your feedback. 

I have partially made it work. I have disabled auth requirement since every user is going to be on site.  

Now, my enforcement profiles are not working properly. Clearness is rejected me even though, I am machine auth. I am not sure why for now. 

I want to rely on enforcements for the rest of the configurations. 

Hi

From the screenshots of your policies I can't see anything related to the MAC addressen and they look OK as far as I can see.

One thing that came to my mind, if you check the Access Tracker for both the computer MAC address and the docking station MAC address, can you verify that the devices only hit the 802.1x service?

In the 802.1x sevrice, what authentication methods do you allow? EAP-TEAP should be the only authentication method in the service with your current role mapping and enforcement policies.

On the switch side, do you have a configuration performing MAC auth before the the 802.1x? In this case the docking station will first get a MAC authentication, probably with profiling, Slightly later the client will perform the 802.1x authentication, maybe this situation could cause issues. But it depends on how the switch prioritize between MAC authentication and 802.1x.

Hello @jonas.hammarback

Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

Here are my enforcement and roles screenshots.

I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

You can see from the screenshot that second one is known and the first one is from the docking station. 

Thanks

Hi

Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.

Hello Guys,

I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

every docking station mac-address.

Any help would be appreciated.

Thanks