Security

Hi everyone, 
I have a weird behaviour with Clearpass. My MAB service is not working properely. When an endpoint, which is profiled is authenticating, I have the error Endpoint repository localhost : user not found. My endpoint reository is used for authentication and authorization source. I can see in the access tracker that Clearpass is able to view all attributes endpoints (for authorization I guess), but because of the authentication failing, the deny profile is sent. 
As I looked closer in the endpoint source, I saw that the filter is configured as : SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known' clearpass
I'm thinking that why it can anthenticate, but it is a weird behaviour. I confirm that in method I have Allow All Mac Auth
Did anyone have encounter this issue ? 

Hi

This is by design. The difference between MAC Auth and Allow All Mac Auth is that the status must be Known if you are using the MAC auth method. This method is designed for use cases like Captive portal logon for guests, where the device is first unknown and then during the logon process the MAC address is marked as Known.

Change to the Allow All Mac Auth authentication method and create authorization rules in role mapping and enforcement policy to only allow the correct types of devices, maybe based on the profiling information.

Hi everyone, 
I have a weird behaviour with Clearpass. My MAB service is not working properely. When an endpoint, which is profiled is authenticating, I have the error Endpoint repository localhost : user not found. My endpoint reository is used for authentication and authorization source. I can see in the access tracker that Clearpass is able to view all attributes endpoints (for authorization I guess), but because of the authentication failing, the deny profile is sent. 
As I looked closer in the endpoint source, I saw that the filter is configured as : SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known' clearpass
I'm thinking that why it can anthenticate, but it is a weird behaviour. I confirm that in method I have Allow All Mac Auth
Did anyone have encounter this issue ? 

Hi Jonas, 
Thanks for your reply. 
My method is already with Allow all mach auth, and I have still the issue. 

Regards,

Regards,

Hi

This is by design. The difference between MAC Auth and Allow All Mac Auth is that the status must be Known if you are using the MAC auth method. This method is designed for use cases like Captive portal logon for guests, where the device is first unknown and then during the logon process the MAC address is marked as Known.

Change to the Allow All Mac Auth authentication method and create authorization rules in role mapping and enforcement policy to only allow the correct types of devices, maybe based on the profiling information.

Hi everyone, 
I have a weird behaviour with Clearpass. My MAB service is not working properely. When an endpoint, which is profiled is authenticating, I have the error Endpoint repository localhost : user not found. My endpoint reository is used for authentication and authorization source. I can see in the access tracker that Clearpass is able to view all attributes endpoints (for authorization I guess), but because of the authentication failing, the deny profile is sent. 
As I looked closer in the endpoint source, I saw that the filter is configured as : SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known' clearpass
I'm thinking that why it can anthenticate, but it is a weird behaviour. I confirm that in method I have Allow All Mac Auth
Did anyone have encounter this issue ? 

Hi Jonas, 
Thanks for your reply. 
My method is already with Allow all mach auth, and I have still the issue. 

Regards,

Regards,

Hi

This is by design. The difference between MAC Auth and Allow All Mac Auth is that the status must be Known if you are using the MAC auth method. This method is designed for use cases like Captive portal logon for guests, where the device is first unknown and then during the logon process the MAC address is marked as Known.

Change to the Allow All Mac Auth authentication method and create authorization rules in role mapping and enforcement policy to only allow the correct types of devices, maybe based on the profiling information.

Hi everyone, 
I have a weird behaviour with Clearpass. My MAB service is not working properely. When an endpoint, which is profiled is authenticating, I have the error Endpoint repository localhost : user not found. My endpoint reository is used for authentication and authorization source. I can see in the access tracker that Clearpass is able to view all attributes endpoints (for authorization I guess), but because of the authentication failing, the deny profile is sent. 
As I looked closer in the endpoint source, I saw that the filter is configured as : SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known' clearpass
I'm thinking that why it can anthenticate, but it is a weird behaviour. I confirm that in method I have Allow All Mac Auth
Did anyone have encounter this issue ? 

You have a role assigned of [User Authenticated] and a profile of [Deny Access Profile].

The MAC auth is working, as expected, but your enforcement policy isn't matching any rule that is returning anything that would allow the session.

Hi Jonas, 
Thanks for your reply. 
My method is already with Allow all mach auth, and I have still the issue. 

Regards,

Regards,

Hi

This is by design. The difference between MAC Auth and Allow All Mac Auth is that the status must be Known if you are using the MAC auth method. This method is designed for use cases like Captive portal logon for guests, where the device is first unknown and then during the logon process the MAC address is marked as Known.

Change to the Allow All Mac Auth authentication method and create authorization rules in role mapping and enforcement policy to only allow the correct types of devices, maybe based on the profiling information.

Hi everyone, 
I have a weird behaviour with Clearpass. My MAB service is not working properely. When an endpoint, which is profiled is authenticating, I have the error Endpoint repository localhost : user not found. My endpoint reository is used for authentication and authorization source. I can see in the access tracker that Clearpass is able to view all attributes endpoints (for authorization I guess), but because of the authentication failing, the deny profile is sent. 
As I looked closer in the endpoint source, I saw that the filter is configured as : SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known' clearpass
I'm thinking that why it can anthenticate, but it is a weird behaviour. I confirm that in method I have Allow All Mac Auth
Did anyone have encounter this issue ? 

As Jonas and Carson mentioned,
it is not an authentication error; the server is functioning as intended.
You can recognize this by the message in the Alert section in Access Tracker – "Access denied by policy." No condition in enforcement is being met, and the server is using the default policy [Deny Access Profile].

Double-check your role mapping and enforcement.

You have a role assigned of [User Authenticated] and a profile of [Deny Access Profile].

The MAC auth is working, as expected, but your enforcement policy isn't matching any rule that is returning anything that would allow the session.

Hi Jonas, 
Thanks for your reply. 
My method is already with Allow all mach auth, and I have still the issue. 

Regards,

Regards,

Hi

This is by design. The difference between MAC Auth and Allow All Mac Auth is that the status must be Known if you are using the MAC auth method. This method is designed for use cases like Captive portal logon for guests, where the device is first unknown and then during the logon process the MAC address is marked as Known.

Change to the Allow All Mac Auth authentication method and create authorization rules in role mapping and enforcement policy to only allow the correct types of devices, maybe based on the profiling information.

Hi everyone, 
I have a weird behaviour with Clearpass. My MAB service is not working properely. When an endpoint, which is profiled is authenticating, I have the error Endpoint repository localhost : user not found. My endpoint reository is used for authentication and authorization source. I can see in the access tracker that Clearpass is able to view all attributes endpoints (for authorization I guess), but because of the authentication failing, the deny profile is sent. 
As I looked closer in the endpoint source, I saw that the filter is configured as : SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known' clearpass
I'm thinking that why it can anthenticate, but it is a weird behaviour. I confirm that in method I have Allow All Mac Auth
Did anyone have encounter this issue ?