Aruba Apps

 View Only
Back to discussions
Expand all | Collapse all

Wired Mac Auth Time based in Clearpass Aruba

This thread has been viewed 66 times

  • 1.  Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 16, 2024 04:14 AM
      |   view attached

    Hello Team, 

    today i have configured some policy and services in aruba clear pass for mac authentication which is Time based but it is not working for me. I am attaching the documents which mentioned all the steps. 

    could you please help me to fix the issue and complete my setup. 

    after expiring the time it is still working which is wrong right ?

    Attachment(s)

    docx
    MAC-auth-setup.docx   1.54 MB 1 version


  • 2.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 19, 2024 03:48 AM

    Hello Team, 

    now it is working successfully but there is one small issue actually after ending the time the port is not bouncing automatically so user are doing continue working with the cable. 

    but I want after ending the time it should be denied for them. 

    not understanding how to achieve this. 




  • 3.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 19, 2024 04:14 AM
      |   view attached

    please find attachment of my enforcement policy but here after ending the time still connection is working , by rights it should be denied automatically correct ?


    Original Message


  • 4.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 20, 2024 01:51 AM

    Hi Jainmanu.

    You should send session timeout attribute to set the time when session need to be reauthorized. Then you can check in Clearpass if session can proceed/be reauthorized or need to be terminated.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------

    Original Message


  • 5.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 21, 2024 08:34 PM

    any idea what enforcement policy i need to configure ?


    Original Message


  • 6.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 22, 2024 03:17 AM

    Hi Jainmanu.

    You should send IETF Session Timeout in seconds. 

    You have several options. 

    Simplest one is to send fixed number of seconds to reauthorize the session and then you can check in Clearpass, if it is expired.

    You can calculate how many seconds is to the end of allowed period and send this into IETF: Session Timeout.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------

    Original Message


  • 7.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 22, 2024 04:46 AM
      |   view attached

    Hello 

    it is not working. 

    i created one Enforcement profile and under the profile i have added Radius-IETF - Session - Timeout - 100 Seconds . 

    but it is not working and user is continue with work. 


    Original Message


  • 8.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 22, 2024 04:53 AM

    Hi Jain.

    Session Timeout will force authentication request in Clearpass and you need to handle it in your service role mapping and enforcement policies to check, if it is Allow or Deny response.

    Check Access tracker if you receive session authorization every 100 seconds.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------

    Original Message


  • 9.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 22, 2024 07:24 AM
    If u don't mind sir ,

    Could u plz give me some screenshot where I need to add session timeout 



    Original Message


  • 10.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 22, 2024 09:46 PM
      |   view attached

    please check my attach document

    do not know where i am wrong because still the policy is not working. 


    Attachment(s)

    docx
    enforcement&role_mapping.docx   260 KB 1 version
    Original Message


  • 11.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 23, 2024 01:48 AM

    Hi Manu.

    I did not see any Deny Access profile in Your policy. You need to have Deny Access as a Default profile and explicit Allow Access in your  allow enforcement line.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------

    Original Message


  • 12.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 23, 2024 01:54 AM

    it is there 

    did you check my documents 

    there is 3rd screen shot. 

    Enforcement Policies - Mac-Auth-Blue-Cable-Enforcement-Policy
    Default Profile is Deny Access Profile.


    Original Message


  • 13.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 23, 2024 02:14 AM

    Hi Manu.

    No. I didn't see this. It wasn't downloaded. Did you check in access tracker that it really send deny?

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------

    Original Message


  • 14.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Jan 23, 2024 02:20 AM
      |   view attached

    see i am attaching again. 


    Original Message


  • 15.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Feb 02, 2024 12:15 PM

    I'm sorry for not replying yet. I'm a little bit busy currently.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------

    Original Message


  • 16.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Feb 22, 2024 03:54 AM

    Hi Manu.

    Any progress? As Herman explain already, what is in Access Tracker? Do you see regular reauthentications?

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------

    Original Message


  • 17.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Feb 22, 2024 04:12 AM

    Sorry for late reply

    My setup is completed after making some policy on Alcatel switches and now all working fine and ports are getting blocked automatically after ending the time 

    Thanks for your support, thanks to all 


    Original Message


  • 18.  RE: Wired Mac Auth Time based in Clearpass Aruba

    Posted Feb 07, 2024 05:45 AM

    Can you maybe explain what you try to achieve and on what type of switch/AP? It's not fully clear to me what the goal is for what you try to do. 

    In the Role Mapping, I see you use IETF:Session-Timeout as a condition. I have not seen switches sending the Session-Timeout, that is mainly used as enforcement attribute to be sent back to the switch. Also, you switch needs to support session-timeout.

    What Gorazd was asking for is if you can share the screenshots of Access Tracker, as it shows the actual role mapping and selected enforcement profile, in the Input tab the received attributes.

    This probably is quite easy to fix with someone who knows ClearPass better, like your Aruba partner. But if you share what you try to configure and what ClearPass does, that would help. If you can include the authenticate port output of your switch (on AOS-CX: show port-access clients <interface-number> detail), that may help as well.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content