Security

 View Only

  • 1.  Clearpass MAB not working for unknown endpoint

    Posted Jan 08, 2026 09:26 AM

    Hi everyone, 
    I have a weird behaviour with Clearpass. My MAB service is not working properely. When an endpoint, which is profiled is authenticating, I have the error Endpoint repository localhost : user not found. My endpoint reository is used for authentication and authorization source. I can see in the access tracker that Clearpass is able to view all attributes endpoints (for authorization I guess), but because of the authentication failing, the deny profile is sent. 
    As I looked closer in the endpoint source, I saw that the filter is configured as : SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known' clearpass
    I'm thinking that why it can anthenticate, but it is a weird behaviour. I confirm that in method I have Allow All Mac Auth
    Did anyone have encounter this issue ? 



    -------------------------------------------


  • 2.  RE: Clearpass MAB not working for unknown endpoint

    Posted Jan 08, 2026 09:41 AM

    Hi

    This is by design. The difference between MAC Auth and Allow All Mac Auth is that the status must be Known if you are using the MAC auth method. This method is designed for use cases like Captive portal logon for guests, where the device is first unknown and then during the logon process the MAC address is marked as Known.

    Change to the Allow All Mac Auth authentication method and create authorization rules in role mapping and enforcement policy to only allow the correct types of devices, maybe based on the profiling information.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Clearpass MAB not working for unknown endpoint

    Posted Jan 08, 2026 09:52 AM

    Hi Jonas, 
    Thanks for your reply. 
    My method is already with Allow all mach auth, and I have still the issue. 

    Regards,

    image
    Regards,
    image
    image
    image
    -------------------------------------------

    Original Message


  • 4.  RE: Clearpass MAB not working for unknown endpoint

    Posted Jan 08, 2026 09:58 AM

    The message related to the Endpoints Repository and User not found can be ignored, this is only informational.

    Applied 'Reject' profile is the message you see when there are no applicable rules in the enforcement policy.

    My guess is that you must implement rules in the role mapping and enforcement policies to handle this specific type of client.
    Can you include screenshots of the role mapping policy, enforcement policy and all the input attributes from Access Tracker?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 5.  RE: Clearpass MAB not working for unknown endpoint

    Posted Jan 08, 2026 02:32 PM

    You have a role assigned of [User Authenticated] and a profile of [Deny Access Profile].

    The MAC auth is working, as expected, but your enforcement policy isn't matching any rule that is returning anything that would allow the session.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 6.  RE: Clearpass MAB not working for unknown endpoint
    Best Answer

    Posted Jan 09, 2026 04:00 AM

    As Jonas and Carson mentioned,
    it is not an authentication error; the server is functioning as intended.
    You can recognize this by the message in the Alert section in Access Tracker – "Access denied by policy." No condition in enforcement is being met, and the server is using the default policy [Deny Access Profile].


    Double-check your role mapping and enforcement.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 7.  RE: Clearpass MAB not working for unknown endpoint

    Posted Jan 12, 2026 10:08 AM

    Hi,

    Thank you Jonas, Carson and Waldemar,

    You were right. In the enforcement policy, I had also "and Authentication Source EQUALS Endpoint Repository". So that's why it was sending the denied profile. I made the correction and now it's working as it should be.

    Regards,

    Ulrich 

    -------------------------------------------

    Original Message


Related Content