Security

Hi community,

i am new here and if this is not appropriate forum please let me know.

I am facing a little "cosmetic" issue in our clearpass/wlc setup.
Let me introduce - we have 2 CP, 2 WLC7210 managed by vWMM. Our clients are mostly wired clients connected to 2930F in tunneled node mode.

I configured policy that authenticate endpoints using 802.1X and role assigned to endpoint depends if there is successful host or user authentication (it is little bit simplified but  its like that).
Now, I have a policy that windows clients they start with PEAP authentication using machine or username.
I can see on clearpass, that the process of authentication is like this:
1. Machine boots up and authenticate itself as machine - 29.10. 7:15
2. User logs in and authenticate himself as user mobu2  - 29.10.  7:16
3. User logs out and machine authenticate itself as machine - no happened right now

When endpoint is authenticated as machine, it receive role DomainPC via DUR enforcement profile.
When endpoint is authenticated as user, he receive role Employee via DUR enforcement profile.

All is working fine as far as I can say - the roles are assigned correctly and policies are enforced on WLC also correctly. The issue is, what is displayed in WLC GUI, resp. in CLI user table.
I can see the endpoint has correctly assinged role of Employee, but authentication field is still filled with machine authentication username. Bellow is screenshot from WLC clients page ( btw, the same is visible in airwave, and the same is in CLI show user-table)

This is scenario for appx 90% of endpoint of this type. Rest of the clients are displayed correctly as user authenticated and with correct role:
And also when user do not logs in - i can see that such computers are correctly displayed as machine authenticated with DomainPC role:

I am worrying about that because it is confusing for helpesk operators and it is definitely not correctly displayed info.
Does something like this happened also to you? Is this some kind of bug, or am I missing some configuration?

Just for info: Clearpass 6.8.5, WLC 8.6.0.4

Thanks a lot for
Tomas






------------------------------
Tomas Backo
------------------------------

Try sending back the RADIUS User-Name in the enforcement profile when the user authenticates. See below.

Radius:IETF User-Name = %{Authentication:Full-Username}

------------------------------
Zak Emerick
------------------------------

Original Message:
Sent: Oct 30, 2020 09:20 AM
From: Tomas Backo
Subject: ClearPass - WLC host/user authentication

Hi community,

i am new here and if this is not appropriate forum please let me know.

I am facing a little "cosmetic" issue in our clearpass/wlc setup.
Let me introduce - we have 2 CP, 2 WLC7210 managed by vWMM. Our clients are mostly wired clients connected to 2930F in tunneled node mode.

I configured policy that authenticate endpoints using 802.1X and role assigned to endpoint depends if there is successful host or user authentication (it is little bit simplified but  its like that).
Now, I have a policy that windows clients they start with PEAP authentication using machine or username.
I can see on clearpass, that the process of authentication is like this:
1. Machine boots up and authenticate itself as machine - 29.10. 7:15
2. User logs in and authenticate himself as user mobu2  - 29.10.  7:16
3. User logs out and machine authenticate itself as machine - no happened right now

When endpoint is authenticated as machine, it receive role DomainPC via DUR enforcement profile.
When endpoint is authenticated as user, he receive role Employee via DUR enforcement profile.

All is working fine as far as I can say - the roles are assigned correctly and policies are enforced on WLC also correctly. The issue is, what is displayed in WLC GUI, resp. in CLI user table.
I can see the endpoint has correctly assinged role of Employee, but authentication field is still filled with machine authentication username. Bellow is screenshot from WLC clients page ( btw, the same is visible in airwave, and the same is in CLI show user-table)

This is scenario for appx 90% of endpoint of this type. Rest of the clients are displayed correctly as user authenticated and with correct role:

And also when user do not logs in - i can see that such computers are correctly displayed as machine authenticated with DomainPC role:

I am worrying about that because it is confusing for helpesk operators and it is definitely not correctly displayed info.
Does something like this happened also to you? Is this some kind of bug, or am I missing some configuration?

Just for info: Clearpass 6.8.5, WLC 8.6.0.4

Thanks a lot for
Tomas

------------------------------
Tomas Backo
------------------------------

Hi Zak,

thank you for your time. We are using tunneled-node-server configuration, so my enforcement profile looks like this:

I am not sure, how do you mean it  - I am unable to send radius:ietf value using above profile to switch. Also, on the switch itself, I can see that username and role mapping is correctly updated after user authentication. Just WLC seems to not be updated - but I am not sure how I can update WLC - as the only interaction between ClearPass and WLC is via Switch downloadable user role profile displayed above.

Thank you for you help!
Tomas

------------------------------
Tomas Backo
------------------------------

Original Message:
Sent: Oct 30, 2020 08:33 PM
From: Zak Emerick
Subject: ClearPass - WLC host/user authentication

Try sending back the RADIUS User-Name in the enforcement profile when the user authenticates. See below.

Radius:IETF User-Name = %{Authentication:Full-Username}

------------------------------
Zak Emerick

Original Message:
Sent: Oct 30, 2020 09:20 AM
From: Tomas Backo
Subject: ClearPass - WLC host/user authentication

Hi community,

i am new here and if this is not appropriate forum please let me know.

I am facing a little "cosmetic" issue in our clearpass/wlc setup.
Let me introduce - we have 2 CP, 2 WLC7210 managed by vWMM. Our clients are mostly wired clients connected to 2930F in tunneled node mode.

I configured policy that authenticate endpoints using 802.1X and role assigned to endpoint depends if there is successful host or user authentication (it is little bit simplified but  its like that).
Now, I have a policy that windows clients they start with PEAP authentication using machine or username.
I can see on clearpass, that the process of authentication is like this:
1. Machine boots up and authenticate itself as machine - 29.10. 7:15
2. User logs in and authenticate himself as user mobu2  - 29.10.  7:16
3. User logs out and machine authenticate itself as machine - no happened right now

When endpoint is authenticated as machine, it receive role DomainPC via DUR enforcement profile.
When endpoint is authenticated as user, he receive role Employee via DUR enforcement profile.

All is working fine as far as I can say - the roles are assigned correctly and policies are enforced on WLC also correctly. The issue is, what is displayed in WLC GUI, resp. in CLI user table.
I can see the endpoint has correctly assinged role of Employee, but authentication field is still filled with machine authentication username. Bellow is screenshot from WLC clients page ( btw, the same is visible in airwave, and the same is in CLI show user-table)

This is scenario for appx 90% of endpoint of this type. Rest of the clients are displayed correctly as user authenticated and with correct role:

And also when user do not logs in - i can see that such computers are correctly displayed as machine authenticated with DomainPC role:

I am worrying about that because it is confusing for helpesk operators and it is definitely not correctly displayed info.
Does something like this happened also to you? Is this some kind of bug, or am I missing some configuration?

Just for info: Clearpass 6.8.5, WLC 8.6.0.4

Thanks a lot for
Tomas

------------------------------
Tomas Backo
------------------------------

Create another enf profile to send back the username. It doesn't matter if it is a switch or WLC.

------------------------------
ACCX #1239 || ACEP || ACSP || CWNA || CWSP
------------------------------

Original Message:
Sent: Nov 03, 2020 05:02 AM
From: Tomas Backo
Subject: ClearPass - WLC host/user authentication

Hi Zak,

thank you for your time. We are using tunneled-node-server configuration, so my enforcement profile looks like this:

I am not sure, how do you mean it  - I am unable to send radius:ietf value using above profile to switch. Also, on the switch itself, I can see that username and role mapping is correctly updated after user authentication. Just WLC seems to not be updated - but I am not sure how I can update WLC - as the only interaction between ClearPass and WLC is via Switch downloadable user role profile displayed above.

Thank you for you help!
Tomas

------------------------------
Tomas Backo

Original Message:
Sent: Oct 30, 2020 08:33 PM
From: Zak Emerick
Subject: ClearPass - WLC host/user authentication

Try sending back the RADIUS User-Name in the enforcement profile when the user authenticates. See below.

Radius:IETF User-Name = %{Authentication:Full-Username}

------------------------------
Zak Emerick

Original Message:
Sent: Oct 30, 2020 09:20 AM
From: Tomas Backo
Subject: ClearPass - WLC host/user authentication

Hi community,

i am new here and if this is not appropriate forum please let me know.

I am facing a little "cosmetic" issue in our clearpass/wlc setup.
Let me introduce - we have 2 CP, 2 WLC7210 managed by vWMM. Our clients are mostly wired clients connected to 2930F in tunneled node mode.

I configured policy that authenticate endpoints using 802.1X and role assigned to endpoint depends if there is successful host or user authentication (it is little bit simplified but  its like that).
Now, I have a policy that windows clients they start with PEAP authentication using machine or username.
I can see on clearpass, that the process of authentication is like this:
1. Machine boots up and authenticate itself as machine - 29.10. 7:15
2. User logs in and authenticate himself as user mobu2  - 29.10.  7:16
3. User logs out and machine authenticate itself as machine - no happened right now

When endpoint is authenticated as machine, it receive role DomainPC via DUR enforcement profile.
When endpoint is authenticated as user, he receive role Employee via DUR enforcement profile.

All is working fine as far as I can say - the roles are assigned correctly and policies are enforced on WLC also correctly. The issue is, what is displayed in WLC GUI, resp. in CLI user table.
I can see the endpoint has correctly assinged role of Employee, but authentication field is still filled with machine authentication username. Bellow is screenshot from WLC clients page ( btw, the same is visible in airwave, and the same is in CLI show user-table)

This is scenario for appx 90% of endpoint of this type. Rest of the clients are displayed correctly as user authenticated and with correct role:

And also when user do not logs in - i can see that such computers are correctly displayed as machine authenticated with DomainPC role:

I am worrying about that because it is confusing for helpesk operators and it is definitely not correctly displayed info.
Does something like this happened also to you? Is this some kind of bug, or am I missing some configuration?

Just for info: Clearpass 6.8.5, WLC 8.6.0.4

Thanks a lot for
Tomas

------------------------------
Tomas Backo
------------------------------

Hi Zak,

I did it exactly how you said - so additional profile with radius username, and assigned it to the same role mapping policy. 
This is how radius request looks like now. You can see that both enforcement profiles where assigned.
User is sucessfully authenticated but, still on WLC i can see that the client is host authenticated. Thank you for your inputs.

Tomas

This is what I can see on WLC client status page:

This is shortened output from switch port where the device is connected:
And this is output of show user-table on WLC:


------------------------------
Tomas Backo
------------------------------

Original Message:
Sent: Oct 30, 2020 08:33 PM
From: Zak Emerick
Subject: ClearPass - WLC host/user authentication

Try sending back the RADIUS User-Name in the enforcement profile when the user authenticates. See below.

Radius:IETF User-Name = %{Authentication:Full-Username}

------------------------------
Zak Emerick

Original Message:
Sent: Oct 30, 2020 09:20 AM
From: Tomas Backo
Subject: ClearPass - WLC host/user authentication

Hi community,

i am new here and if this is not appropriate forum please let me know.

I am facing a little "cosmetic" issue in our clearpass/wlc setup.
Let me introduce - we have 2 CP, 2 WLC7210 managed by vWMM. Our clients are mostly wired clients connected to 2930F in tunneled node mode.

I configured policy that authenticate endpoints using 802.1X and role assigned to endpoint depends if there is successful host or user authentication (it is little bit simplified but  its like that).
Now, I have a policy that windows clients they start with PEAP authentication using machine or username.
I can see on clearpass, that the process of authentication is like this:
1. Machine boots up and authenticate itself as machine - 29.10. 7:15
2. User logs in and authenticate himself as user mobu2  - 29.10.  7:16
3. User logs out and machine authenticate itself as machine - no happened right now

When endpoint is authenticated as machine, it receive role DomainPC via DUR enforcement profile.
When endpoint is authenticated as user, he receive role Employee via DUR enforcement profile.

All is working fine as far as I can say - the roles are assigned correctly and policies are enforced on WLC also correctly. The issue is, what is displayed in WLC GUI, resp. in CLI user table.
I can see the endpoint has correctly assinged role of Employee, but authentication field is still filled with machine authentication username. Bellow is screenshot from WLC clients page ( btw, the same is visible in airwave, and the same is in CLI show user-table)

This is scenario for appx 90% of endpoint of this type. Rest of the clients are displayed correctly as user authenticated and with correct role:

And also when user do not logs in - i can see that such computers are correctly displayed as machine authenticated with DomainPC role:

I am worrying about that because it is confusing for helpesk operators and it is definitely not correctly displayed info.
Does something like this happened also to you? Is this some kind of bug, or am I missing some configuration?

Just for info: Clearpass 6.8.5, WLC 8.6.0.4

Thanks a lot for
Tomas

------------------------------
Tomas Backo
------------------------------

This may be a bug, I will have to put this in my lab to confirm. 

The RADIUS:IETF User-Name attribute should take precedence over everything else.  However, it seems like the switch is only passing up the first authenticated user for that particular MAC-Address. 

Over time, does the controller ever update with the correct username? 8.x has had its issues with UI bugs.

------------------------------
ACCX #1239 || ACEP || ACSP || CWNA || CWSP
------------------------------

Original Message:
Sent: Nov 04, 2020 09:00 AM
From: Tomas Backo
Subject: ClearPass - WLC host/user authentication

Hi Zak,

I did it exactly how you said - so additional profile with radius username, and assigned it to the same role mapping policy. 
This is how radius request looks like now. You can see that both enforcement profiles where assigned.
User is sucessfully authenticated but, still on WLC i can see that the client is host authenticated. Thank you for your inputs.

Tomas

This is what I can see on WLC client status page:

This is shortened output from switch port where the device is connected:

SK-DR41-01# sh port-access clients 3 detailed
   Port            : 3                     Authentication Type : 802.1x
   Client Status   : authenticated         Session Time        : 909 seconds
   Client name     : XXXX\sloarms      Session Timeout     : 0 seconds
   MAC Address     : dc4a3e-516641
   IP              : 10.x.x.x

   Downloaded user roles are preceded by *

 User Role Information

   Name                              : XXXX_DUR_Employee-3014-3
   Tunnelednode Server Redirect      : Enabled
   Secondary Role Name               : XXXX_Employee

And this is output of show user-table on WLC:

show user-table mac dc:4a:3e:51:66:41

Users
-----
    IP           MAC            Name                             Role           Age(d:h:m)  Auth            
10.X.X.X  dc:4a:3e:51:66:41  host/XXXXSLOFAB21.XXXXEURO.LOCAL  XXXX_Employee  79:08:41    Tunneled-User-802.1X 

------------------------------
Tomas Backo

Original Message:
Sent: Oct 30, 2020 08:33 PM
From: Zak Emerick
Subject: ClearPass - WLC host/user authentication

Try sending back the RADIUS User-Name in the enforcement profile when the user authenticates. See below.

Radius:IETF User-Name = %{Authentication:Full-Username}

------------------------------
Zak Emerick

Original Message:
Sent: Oct 30, 2020 09:20 AM
From: Tomas Backo
Subject: ClearPass - WLC host/user authentication

Hi community,

i am new here and if this is not appropriate forum please let me know.

I am facing a little "cosmetic" issue in our clearpass/wlc setup.
Let me introduce - we have 2 CP, 2 WLC7210 managed by vWMM. Our clients are mostly wired clients connected to 2930F in tunneled node mode.

I configured policy that authenticate endpoints using 802.1X and role assigned to endpoint depends if there is successful host or user authentication (it is little bit simplified but  its like that).
Now, I have a policy that windows clients they start with PEAP authentication using machine or username.
I can see on clearpass, that the process of authentication is like this:
1. Machine boots up and authenticate itself as machine - 29.10. 7:15
2. User logs in and authenticate himself as user mobu2  - 29.10.  7:16
3. User logs out and machine authenticate itself as machine - no happened right now

When endpoint is authenticated as machine, it receive role DomainPC via DUR enforcement profile.
When endpoint is authenticated as user, he receive role Employee via DUR enforcement profile.

All is working fine as far as I can say - the roles are assigned correctly and policies are enforced on WLC also correctly. The issue is, what is displayed in WLC GUI, resp. in CLI user table.
I can see the endpoint has correctly assinged role of Employee, but authentication field is still filled with machine authentication username. Bellow is screenshot from WLC clients page ( btw, the same is visible in airwave, and the same is in CLI show user-table)

This is scenario for appx 90% of endpoint of this type. Rest of the clients are displayed correctly as user authenticated and with correct role:

And also when user do not logs in - i can see that such computers are correctly displayed as machine authenticated with DomainPC role:

I am worrying about that because it is confusing for helpesk operators and it is definitely not correctly displayed info.
Does something like this happened also to you? Is this some kind of bug, or am I missing some configuration?

Just for info: Clearpass 6.8.5, WLC 8.6.0.4

Thanks a lot for
Tomas

------------------------------
Tomas Backo
------------------------------

Hi Zak,

so far I can see that some of the endpoints are displayed as "user" logged in.
But unfortunately I am unable to find any reason why this one endpoint is displayed as "host" and other one as "user". 
It seems to be very random distribution. The only what I can say is that appx 90% are displayed as "host"

Tomas

------------------------------
Tomas Backo
------------------------------

Original Message:
Sent: Nov 04, 2020 03:26 PM
From: Zak Emerick
Subject: ClearPass - WLC host/user authentication

This may be a bug, I will have to put this in my lab to confirm. 

The RADIUS:IETF User-Name attribute should take precedence over everything else.  However, it seems like the switch is only passing up the first authenticated user for that particular MAC-Address. 

Over time, does the controller ever update with the correct username? 8.x has had its issues with UI bugs.

------------------------------
ACCX #1239 || ACEP || ACSP || CWNA || CWSP

Original Message:
Sent: Nov 04, 2020 09:00 AM
From: Tomas Backo
Subject: ClearPass - WLC host/user authentication

Hi Zak,

I did it exactly how you said - so additional profile with radius username, and assigned it to the same role mapping policy. 
This is how radius request looks like now. You can see that both enforcement profiles where assigned.
User is sucessfully authenticated but, still on WLC i can see that the client is host authenticated. Thank you for your inputs.

Tomas

This is what I can see on WLC client status page:

This is shortened output from switch port where the device is connected:

SK-DR41-01# sh port-access clients 3 detailed
   Port            : 3                     Authentication Type : 802.1x
   Client Status   : authenticated         Session Time        : 909 seconds
   Client name     : XXXX\sloarms      Session Timeout     : 0 seconds
   MAC Address     : dc4a3e-516641
   IP              : 10.x.x.x

   Downloaded user roles are preceded by *

 User Role Information

   Name                              : XXXX_DUR_Employee-3014-3
   Tunnelednode Server Redirect      : Enabled
   Secondary Role Name               : XXXX_Employee

And this is output of show user-table on WLC:

show user-table mac dc:4a:3e:51:66:41

Users
-----
    IP           MAC            Name                             Role           Age(d:h:m)  Auth            
10.X.X.X  dc:4a:3e:51:66:41  host/XXXXSLOFAB21.XXXXEURO.LOCAL  XXXX_Employee  79:08:41    Tunneled-User-802.1X 

------------------------------
Tomas Backo

Original Message:
Sent: Oct 30, 2020 08:33 PM
From: Zak Emerick
Subject: ClearPass - WLC host/user authentication

Try sending back the RADIUS User-Name in the enforcement profile when the user authenticates. See below.

Radius:IETF User-Name = %{Authentication:Full-Username}

------------------------------
Zak Emerick

Original Message:
Sent: Oct 30, 2020 09:20 AM
From: Tomas Backo
Subject: ClearPass - WLC host/user authentication

Hi community,

i am new here and if this is not appropriate forum please let me know.

I am facing a little "cosmetic" issue in our clearpass/wlc setup.
Let me introduce - we have 2 CP, 2 WLC7210 managed by vWMM. Our clients are mostly wired clients connected to 2930F in tunneled node mode.

I configured policy that authenticate endpoints using 802.1X and role assigned to endpoint depends if there is successful host or user authentication (it is little bit simplified but  its like that).
Now, I have a policy that windows clients they start with PEAP authentication using machine or username.
I can see on clearpass, that the process of authentication is like this:
1. Machine boots up and authenticate itself as machine - 29.10. 7:15
2. User logs in and authenticate himself as user mobu2  - 29.10.  7:16
3. User logs out and machine authenticate itself as machine - no happened right now

When endpoint is authenticated as machine, it receive role DomainPC via DUR enforcement profile.
When endpoint is authenticated as user, he receive role Employee via DUR enforcement profile.

All is working fine as far as I can say - the roles are assigned correctly and policies are enforced on WLC also correctly. The issue is, what is displayed in WLC GUI, resp. in CLI user table.
I can see the endpoint has correctly assinged role of Employee, but authentication field is still filled with machine authentication username. Bellow is screenshot from WLC clients page ( btw, the same is visible in airwave, and the same is in CLI show user-table)

This is scenario for appx 90% of endpoint of this type. Rest of the clients are displayed correctly as user authenticated and with correct role:

And also when user do not logs in - i can see that such computers are correctly displayed as machine authenticated with DomainPC role:

I am worrying about that because it is confusing for helpesk operators and it is definitely not correctly displayed info.
Does something like this happened also to you? Is this some kind of bug, or am I missing some configuration?

Just for info: Clearpass 6.8.5, WLC 8.6.0.4

Thanks a lot for
Tomas

------------------------------
Tomas Backo
------------------------------