- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
SSID with Both MAC auth and 802.1x in ClearPass
SSID with Both MAC auth and 802.1x in ClearPass
09-16-2015 06:14 PM
How do you configure an SSID with both MAC auth and 802.1x against the same clearpass service?
Currently i have 2 SSID.
1NSU (802.1X against AD)
NSU (Mac auth for non-802.1x devices)
Before winter Term I was planning to try to Merge the MAC auth into 1NSU so in campus we only have 1 SSID for those devices beside Guest.
1. Do you try to do Mac Auth first then if it fail then do 802.1x auth?
So wireless printer will connect to the 1NSU do Mac Auth obtain the role Printer. Then A student will connect to 1NSU Fail Mac auth then do 802.1x auth and obtain the role NSUStudents.
Would it make sense? Or is better to keep it separate as i have now for easy of troubleshooting and management?
Thank you
Nils.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: SSID with Both MAC auth and 802.1x in ClearPass
Re: SSID with Both MAC auth and 802.1x in ClearPass
09-16-2015 06:20 PM - edited 09-16-2015 06:23 PM
This is not possible due to dynamic encryption protocols.
You would need two SSIDs. MAC-address can only be used as an authorization source for 802.1X.
It is common to have a multi-purpose guest, help/onboard, "dumb" device SSID along with your 802.1X SSID.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: SSID with Both MAC auth and 802.1x in ClearPass
Re: SSID with Both MAC auth and 802.1x in ClearPass
09-16-2015 06:26 PM
Thank you Cappalli!
It make sense..The right way will be to do l2 auth (mac) with l3 (captive portal) same ssid.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: SSID with Both MAC auth and 802.1x in ClearPass
Re: SSID with Both MAC auth and 802.1x in ClearPass
09-16-2015 06:30 PM
devices so they pass MAC-auth and the fail-through would be a splash page
with instructions and/or guest registration.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: SSID with Both MAC auth and 802.1x in ClearPass
Re: SSID with Both MAC auth and 802.1x in ClearPass
09-17-2015 04:23 AM
We use the "dumb" SSID with a captive portal to
1. Onboard PEAP-MSCHAPv2 to 802.1X SSID
or
2. Register "dumb" device for mac auth
The SSID also does mac auth for reghistered devices.
Bruce Osborne - Wireless Engineer
ACCP, ACMP
All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: SSID with Both MAC auth and 802.1x in ClearPass
Re: SSID with Both MAC auth and 802.1x in ClearPass
09-17-2015 06:02 AM
Just spitballing here, but is there any product/configuration that would allow you to integrate those MAC addresses into the same database that your .1X devices authenticate off of? Whereas .1X is used primarily via cert/credentials, a pre-registered device could match against an AD object associated with it, say.
Not sure if it's possible, but the thought occurred to me.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: SSID with Both MAC auth and 802.1x in ClearPass
Re: SSID with Both MAC auth and 802.1x in ClearPass
09-17-2015 06:05 AM
Thanks,
Tim
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: SSID with Both MAC auth and 802.1x in ClearPass (Airheads Community Subscription Update)
Re: SSID with Both MAC auth and 802.1x in ClearPass (Airheads Community Subscription Update)
09-17-2015 06:47 AM
Conditions
(Connection:Client-Mac-Address-Colon EQUALS xx:xx:xx:xx:xx:xx)
Actions
[Allow Access]
Thanks,
Darin T. Williams
Network Engineer
University of Nebraska Computing Services
225 Nebraska Hall
Lincoln, Nebraska 68588-0521
email: dtwilliams@nebraska.edu
phone: 402.472.5884 cell:402.570.8293
From: Community Mailer >
Date: Thursday, September 17, 2015 at 8:02 AM
To: Darin >
Subject: Re: SSID with Both MAC auth and 802.1x in ClearPass (Airheads Community Subscription Update)
Hi darin-williams,
pmauretti (New Member) posted a new Reply in Higher Education on 09-17-2015 06:02 AM :
Browsing from your phone? Don't forget to download the Airheads Community App?
________________________________
Re: SSID with Both MAC auth and 802.1x in ClearPass
Just spitballing here, but is there any product/configuration that would allow you to integrate those MAC addresses into the same database that your .1X devices authenticate off of? Whereas .1X is used primarily via cert/credentials, a pre-registered device could match against an AD object associated with it, say.
Not sure if it's possible, but the thought occurred to me.
Reply | Give Kudos
________________________________
Airheads Community sent this message to dtwilliams@nebraska.edu.
You are receiving this email because a new message matches your subscription to a board.
To control which emails we send you please go to, manage your subscription & notification settings or unsubscribe.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: SSID with Both MAC auth and 802.1x in ClearPass (Airheads Community Subscription Update)
Re: SSID with Both MAC auth and 802.1x in ClearPass (Airheads Community Subscription Update)
09-17-2015 06:51 AM
darin-williams wrote:
I am new to ClearPass, so I am still feeling my way around the product. I am wondering why a rule couldn't be added to the enforcement policy to look at the mac address and then push the action to allow access if it is a match. If you have a lot of devices this would be ideal. For example the rule below:
Conditions
(Connection:Client-Mac-Address-Colon EQUALS xx:xx:xx:xx:xx:xx)
Actions
[Allow Access]
Thanks,
Darin T. Williams
Network Engineer
University of Nebraska Computing Services
225 Nebraska Hall
Lincoln, Nebraska 68588-0521
email: dtwilliams@nebraska.edu
phone: 402.472.5884 cell:402.570.8293
From: Community Mailer >
Date: Thursday, September 17, 2015 at 8:02 AM
To: Darin >
Subject: Re: SSID with Both MAC auth and 802.1x in ClearPass (Airheads Community Subscription Update)
Hi darin-williams,
pmauretti (New Member) posted a new Reply in Higher Education on 09-17-2015 06:02 AM :
Browsing from your phone? Don't forget to download the Airheads Community App?
________________________________
Re: SSID with Both MAC auth and 802.1x in ClearPass
Just spitballing here, but is there any product/configuration that would allow you to integrate those MAC addresses into the same database that your .1X devices authenticate off of? Whereas .1X is used primarily via cert/credentials, a pre-registered device could match against an AD object associated with it, say.
Not sure if it's possible, but the thought occurred to me.
We are doing that with the registered mac addresses marked as Known and tagged with Username, etc. in the Endpoints database built in to ClearPass Policy Manager.
Bruce Osborne - Wireless Engineer
ACCP, ACMP
All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator