Security

We are using Clearpass 6.11, and are running into issues where devices are not authenticating. User called she had no internet, verified there is no connection on the device.  She had mentioned she has to restart a couple times a day. I have an idea and not sure if any of you guys could have a potential solution. 

Our policy cache timeout was 8 hours, I changed it to 2 days to account for weekends, every morning it would take 30 seconds to a minute for Dot1x to move users to a quarantine vlan for being unknown, running a health check then moving them to the correct vlan. 

Our session timeout for the vlan was set to the standard, which I believe is 3 hours. I just now changed this to 8 hours assuming this is the possible fix for this. 

Not sure what could cause the Dot1x to suddenly stop doing checks..

Policy Cache set to 2 days

OnGuard checks set to every 2 hours.

Session time out on vlan was 3 hours, changed to 8 hours thinking this could be the solution.

Hello,

Are you using AD Nested Group on Role Mapping or Enforcement profiles ?

I have seen recently very long delay (> 15 sec) on authorization to AD using the "standard Nested Group" implementation and I still don't know it it come from Clearpass itself (6.11.11) or
slow AD answers

Kind regards

Christian

Hi @Jscott1, there's some complexity in your environment that we'll need some more details on to help understand what might be happening. 

First, are you using OnGuard for device posture assessment? Is this agent based or agent-less?

Looking at access tracker for requests processed for the user who had no connection what are you seeing? If they are being rejected you need to get to the bottom of why this is occurring. If a reject does occur then analysis of the role mapping and enforcement policy is required.

You stated the client is moved to the quarantine vlan for being unknown. Does this mean that the client status in endpoint repository is "Unknown client"? There would be corresponding policy to match and check for this attribute if this is the case. What does that look like?

We are using Clearpass 6.11, and are running into issues where devices are not authenticating. User called she had no internet, verified there is no connection on the device.  She had mentioned she has to restart a couple times a day. I have an idea and not sure if any of you guys could have a potential solution. 

Our policy cache timeout was 8 hours, I changed it to 2 days to account for weekends, every morning it would take 30 seconds to a minute for Dot1x to move users to a quarantine vlan for being unknown, running a health check then moving them to the correct vlan. 

Our session timeout for the vlan was set to the standard, which I believe is 3 hours. I just now changed this to 8 hours assuming this is the possible fix for this. 

Not sure what could cause the Dot1x to suddenly stop doing checks..

Policy Cache set to 2 days

OnGuard checks set to every 2 hours.

Session time out on vlan was 3 hours, changed to 8 hours thinking this could be the solution.

I believe we are using AD for the enforcement profiles. Here are the logs returned for the last 2 days for the same device. I am seeing no rejections and just the return VL 20 or OnGuard healthy. We are using EAP-TEAP if that matters at all.

Here is our Dot1x Wired Auth Enforcement, 

Sorry for sounding like a potato. I've only had experience with Clearpass for about 2 months now. Before that no prior NAC experience so it's all very new to me. Trying the best I can to get this going for our Company.

Hello,

Are you using AD Nested Group on Role Mapping or Enforcement profiles ?

I have seen recently very long delay (> 15 sec) on authorization to AD using the "standard Nested Group" implementation and I still don't know it it come from Clearpass itself (6.11.11) or
slow AD answers

Kind regards

Christian

Hi @Jscott1, there's some complexity in your environment that we'll need some more details on to help understand what might be happening. 

First, are you using OnGuard for device posture assessment? Is this agent based or agent-less?

Looking at access tracker for requests processed for the user who had no connection what are you seeing? If they are being rejected you need to get to the bottom of why this is occurring. If a reject does occur then analysis of the role mapping and enforcement policy is required.

You stated the client is moved to the quarantine vlan for being unknown. Does this mean that the client status in endpoint repository is "Unknown client"? There would be corresponding policy to match and check for this attribute if this is the case. What does that look like?

We are using Clearpass 6.11, and are running into issues where devices are not authenticating. User called she had no internet, verified there is no connection on the device.  She had mentioned she has to restart a couple times a day. I have an idea and not sure if any of you guys could have a potential solution. 

Our policy cache timeout was 8 hours, I changed it to 2 days to account for weekends, every morning it would take 30 seconds to a minute for Dot1x to move users to a quarantine vlan for being unknown, running a health check then moving them to the correct vlan. 

Our session timeout for the vlan was set to the standard, which I believe is 3 hours. I just now changed this to 8 hours assuming this is the possible fix for this. 

Not sure what could cause the Dot1x to suddenly stop doing checks..

Policy Cache set to 2 days

OnGuard checks set to every 2 hours.

Session time out on vlan was 3 hours, changed to 8 hours thinking this could be the solution.

What do you see on the switch side? Please check the port-access details there.

I believe we are using AD for the enforcement profiles. Here are the logs returned for the last 2 days for the same device. I am seeing no rejections and just the return VL 20 or OnGuard healthy. We are using EAP-TEAP if that matters at all.

Here is our Dot1x Wired Auth Enforcement, 

Sorry for sounding like a potato. I've only had experience with Clearpass for about 2 months now. Before that no prior NAC experience so it's all very new to me. Trying the best I can to get this going for our Company.

Hello,

Are you using AD Nested Group on Role Mapping or Enforcement profiles ?

I have seen recently very long delay (> 15 sec) on authorization to AD using the "standard Nested Group" implementation and I still don't know it it come from Clearpass itself (6.11.11) or
slow AD answers

Kind regards

Christian

Hi @Jscott1, there's some complexity in your environment that we'll need some more details on to help understand what might be happening. 

First, are you using OnGuard for device posture assessment? Is this agent based or agent-less?

Looking at access tracker for requests processed for the user who had no connection what are you seeing? If they are being rejected you need to get to the bottom of why this is occurring. If a reject does occur then analysis of the role mapping and enforcement policy is required.

You stated the client is moved to the quarantine vlan for being unknown. Does this mean that the client status in endpoint repository is "Unknown client"? There would be corresponding policy to match and check for this attribute if this is the case. What does that look like?

We are using Clearpass 6.11, and are running into issues where devices are not authenticating. User called she had no internet, verified there is no connection on the device.  She had mentioned she has to restart a couple times a day. I have an idea and not sure if any of you guys could have a potential solution. 

Our policy cache timeout was 8 hours, I changed it to 2 days to account for weekends, every morning it would take 30 seconds to a minute for Dot1x to move users to a quarantine vlan for being unknown, running a health check then moving them to the correct vlan. 

Our session timeout for the vlan was set to the standard, which I believe is 3 hours. I just now changed this to 8 hours assuming this is the possible fix for this. 

Not sure what could cause the Dot1x to suddenly stop doing checks..

Policy Cache set to 2 days

OnGuard checks set to every 2 hours.

Session time out on vlan was 3 hours, changed to 8 hours thinking this could be the solution.

Was trying to look for the EAPOL requests you are talking about but I am just seeing EAP-TEAP and EAP-MSCHAPv2

This is the switch config we are using. We are using Cisco 3850s

policy-map type control subscriber CLEARPASS-DOT1X_MAB

event session-started match-all

  10 class always do-until-failure

   10 authenticate using dot1x priority 10

event authentication-failure match-first

  10 class DOT1X_FAILED do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

I have also noticed, now we are unable to do any Mac Auth requests. We are just trying to figure out this issue we have with Dot1x first then tackle why Mac Auth is not doing what it's supposed to. I thought it was supposed to run after Dot1x fails but seems to not be doing that. When we would do 20 authenticate using MAB priority 20 in that first segment, it would authenticate both Dot1X and Mac Auth on desktops at the same time causing connectivity issues by passing a deny access profile on those computers that would receive a mac auth.

What do you see on the switch side? Please check the port-access details there.

I believe we are using AD for the enforcement profiles. Here are the logs returned for the last 2 days for the same device. I am seeing no rejections and just the return VL 20 or OnGuard healthy. We are using EAP-TEAP if that matters at all.

Here is our Dot1x Wired Auth Enforcement, 

Sorry for sounding like a potato. I've only had experience with Clearpass for about 2 months now. Before that no prior NAC experience so it's all very new to me. Trying the best I can to get this going for our Company.

Hello,

Are you using AD Nested Group on Role Mapping or Enforcement profiles ?

I have seen recently very long delay (> 15 sec) on authorization to AD using the "standard Nested Group" implementation and I still don't know it it come from Clearpass itself (6.11.11) or
slow AD answers

Kind regards

Christian

Hi @Jscott1, there's some complexity in your environment that we'll need some more details on to help understand what might be happening. 

First, are you using OnGuard for device posture assessment? Is this agent based or agent-less?

Looking at access tracker for requests processed for the user who had no connection what are you seeing? If they are being rejected you need to get to the bottom of why this is occurring. If a reject does occur then analysis of the role mapping and enforcement policy is required.

You stated the client is moved to the quarantine vlan for being unknown. Does this mean that the client status in endpoint repository is "Unknown client"? There would be corresponding policy to match and check for this attribute if this is the case. What does that look like?

We are using Clearpass 6.11, and are running into issues where devices are not authenticating. User called she had no internet, verified there is no connection on the device.  She had mentioned she has to restart a couple times a day. I have an idea and not sure if any of you guys could have a potential solution. 

Our policy cache timeout was 8 hours, I changed it to 2 days to account for weekends, every morning it would take 30 seconds to a minute for Dot1x to move users to a quarantine vlan for being unknown, running a health check then moving them to the correct vlan. 

Our session timeout for the vlan was set to the standard, which I believe is 3 hours. I just now changed this to 8 hours assuming this is the possible fix for this. 

Not sure what could cause the Dot1x to suddenly stop doing checks..

Policy Cache set to 2 days

OnGuard checks set to every 2 hours.

Session time out on vlan was 3 hours, changed to 8 hours thinking this could be the solution.

Please check the authentication status on the interface. I believe on Cisco devices it's: 

show authentication session interface <interface> details

Was trying to look for the EAPOL requests you are talking about but I am just seeing EAP-TEAP and EAP-MSCHAPv2

This is the switch config we are using. We are using Cisco 3850s

policy-map type control subscriber CLEARPASS-DOT1X_MAB

event session-started match-all

  10 class always do-until-failure

   10 authenticate using dot1x priority 10

event authentication-failure match-first

  10 class DOT1X_FAILED do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

I have also noticed, now we are unable to do any Mac Auth requests. We are just trying to figure out this issue we have with Dot1x first then tackle why Mac Auth is not doing what it's supposed to. I thought it was supposed to run after Dot1x fails but seems to not be doing that. When we would do 20 authenticate using MAB priority 20 in that first segment, it would authenticate both Dot1X and Mac Auth on desktops at the same time causing connectivity issues by passing a deny access profile on those computers that would receive a mac auth.

What do you see on the switch side? Please check the port-access details there.

I believe we are using AD for the enforcement profiles. Here are the logs returned for the last 2 days for the same device. I am seeing no rejections and just the return VL 20 or OnGuard healthy. We are using EAP-TEAP if that matters at all.

Here is our Dot1x Wired Auth Enforcement, 

Sorry for sounding like a potato. I've only had experience with Clearpass for about 2 months now. Before that no prior NAC experience so it's all very new to me. Trying the best I can to get this going for our Company.

Hello,

Are you using AD Nested Group on Role Mapping or Enforcement profiles ?

I have seen recently very long delay (> 15 sec) on authorization to AD using the "standard Nested Group" implementation and I still don't know it it come from Clearpass itself (6.11.11) or
slow AD answers

Kind regards

Christian

Hi @Jscott1, there's some complexity in your environment that we'll need some more details on to help understand what might be happening. 

First, are you using OnGuard for device posture assessment? Is this agent based or agent-less?

Looking at access tracker for requests processed for the user who had no connection what are you seeing? If they are being rejected you need to get to the bottom of why this is occurring. If a reject does occur then analysis of the role mapping and enforcement policy is required.

You stated the client is moved to the quarantine vlan for being unknown. Does this mean that the client status in endpoint repository is "Unknown client"? There would be corresponding policy to match and check for this attribute if this is the case. What does that look like?

We are using Clearpass 6.11, and are running into issues where devices are not authenticating. User called she had no internet, verified there is no connection on the device.  She had mentioned she has to restart a couple times a day. I have an idea and not sure if any of you guys could have a potential solution. 

Our policy cache timeout was 8 hours, I changed it to 2 days to account for weekends, every morning it would take 30 seconds to a minute for Dot1x to move users to a quarantine vlan for being unknown, running a health check then moving them to the correct vlan. 

Our session timeout for the vlan was set to the standard, which I believe is 3 hours. I just now changed this to 8 hours assuming this is the possible fix for this. 

Not sure what could cause the Dot1x to suddenly stop doing checks..

Policy Cache set to 2 days

OnGuard checks set to every 2 hours.

Session time out on vlan was 3 hours, changed to 8 hours thinking this could be the solution.

Please check the authentication status on the interface. I believe on Cisco devices it's: 

show authentication session interface <interface> details

Was trying to look for the EAPOL requests you are talking about but I am just seeing EAP-TEAP and EAP-MSCHAPv2

This is the switch config we are using. We are using Cisco 3850s

policy-map type control subscriber CLEARPASS-DOT1X_MAB

event session-started match-all

  10 class always do-until-failure

   10 authenticate using dot1x priority 10

event authentication-failure match-first

  10 class DOT1X_FAILED do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

I have also noticed, now we are unable to do any Mac Auth requests. We are just trying to figure out this issue we have with Dot1x first then tackle why Mac Auth is not doing what it's supposed to. I thought it was supposed to run after Dot1x fails but seems to not be doing that. When we would do 20 authenticate using MAB priority 20 in that first segment, it would authenticate both Dot1X and Mac Auth on desktops at the same time causing connectivity issues by passing a deny access profile on those computers that would receive a mac auth.

What do you see on the switch side? Please check the port-access details there.

I believe we are using AD for the enforcement profiles. Here are the logs returned for the last 2 days for the same device. I am seeing no rejections and just the return VL 20 or OnGuard healthy. We are using EAP-TEAP if that matters at all.

Here is our Dot1x Wired Auth Enforcement, 

Sorry for sounding like a potato. I've only had experience with Clearpass for about 2 months now. Before that no prior NAC experience so it's all very new to me. Trying the best I can to get this going for our Company.

Hello,

Are you using AD Nested Group on Role Mapping or Enforcement profiles ?

I have seen recently very long delay (> 15 sec) on authorization to AD using the "standard Nested Group" implementation and I still don't know it it come from Clearpass itself (6.11.11) or
slow AD answers

Kind regards

Christian

Hi @Jscott1, there's some complexity in your environment that we'll need some more details on to help understand what might be happening. 

First, are you using OnGuard for device posture assessment? Is this agent based or agent-less?

Looking at access tracker for requests processed for the user who had no connection what are you seeing? If they are being rejected you need to get to the bottom of why this is occurring. If a reject does occur then analysis of the role mapping and enforcement policy is required.

You stated the client is moved to the quarantine vlan for being unknown. Does this mean that the client status in endpoint repository is "Unknown client"? There would be corresponding policy to match and check for this attribute if this is the case. What does that look like?

We are using Clearpass 6.11, and are running into issues where devices are not authenticating. User called she had no internet, verified there is no connection on the device.  She had mentioned she has to restart a couple times a day. I have an idea and not sure if any of you guys could have a potential solution. 

Our policy cache timeout was 8 hours, I changed it to 2 days to account for weekends, every morning it would take 30 seconds to a minute for Dot1x to move users to a quarantine vlan for being unknown, running a health check then moving them to the correct vlan. 

Our session timeout for the vlan was set to the standard, which I believe is 3 hours. I just now changed this to 8 hours assuming this is the possible fix for this. 

Not sure what could cause the Dot1x to suddenly stop doing checks..

Policy Cache set to 2 days

OnGuard checks set to every 2 hours.

Session time out on vlan was 3 hours, changed to 8 hours thinking this could be the solution.

Hi @Jscott1, there's some complexity in your environment that we'll need some more details on to help understand what might be happening. 

First, are you using OnGuard for device posture assessment? Is this agent based or agent-less?

Looking at access tracker for requests processed for the user who had no connection what are you seeing? If they are being rejected you need to get to the bottom of why this is occurring. If a reject does occur then analysis of the role mapping and enforcement policy is required.

You stated the client is moved to the quarantine vlan for being unknown. Does this mean that the client status in endpoint repository is "Unknown client"? There would be corresponding policy to match and check for this attribute if this is the case. What does that look like?

We are using Clearpass 6.11, and are running into issues where devices are not authenticating. User called she had no internet, verified there is no connection on the device.  She had mentioned she has to restart a couple times a day. I have an idea and not sure if any of you guys could have a potential solution. 

Our policy cache timeout was 8 hours, I changed it to 2 days to account for weekends, every morning it would take 30 seconds to a minute for Dot1x to move users to a quarantine vlan for being unknown, running a health check then moving them to the correct vlan. 

Our session timeout for the vlan was set to the standard, which I believe is 3 hours. I just now changed this to 8 hours assuming this is the possible fix for this. 

Not sure what could cause the Dot1x to suddenly stop doing checks..

Policy Cache set to 2 days

OnGuard checks set to every 2 hours.

Session time out on vlan was 3 hours, changed to 8 hours thinking this could be the solution.