Security

Reply
Occasional Contributor I
Posts: 5
Registered: ‎10-16-2015

802.1X Authentication of Virtual Mashines on Development Notebooks

Dear all,

 

is there any best practise user guide how to implement 802.1X authentication with ClearPass for development computers where virtual machines are installed?

 

Thanks

Michael

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: 802.1X Authentication of Virtual Mashines on Development Notebooks

The question is will the VM allow you to even configure 802.1x on that adapter. Often your only option is to bridge or nat traffic on that interface.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎10-16-2015

Re: 802.1X Authentication of Virtual Mashines on Development Notebooks

It depends on the mode how the PC is configured, right? If the setup is able to send the MAC of the virtual machine or if the MAC of the ethernet adapter is the only MAC address seen in the network.

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: 802.1X Authentication of Virtual Mashines on Development Notebooks

Are you talking about Mac authentication, Or 802.1x?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎10-16-2015

Re: 802.1X Authentication of Virtual Mashines on Development Notebooks

802.1X

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: 802.1X Authentication of Virtual Mashines on Development Notebooks

I do not think you can configure 802.1x credentials on the uplink adapter in a VM.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I
Posts: 294
Registered: ‎02-07-2013

Re: 802.1X Authentication of Virtual Mashines on Development Notebooks

I've got multiple VMs running on my OSX machine ( VmWare Fusion) authenticating via mac auth or dot1x. Your VM needs to have a "bridged" network interface. Whether it works or not depends on the capabilities of the switch port you are plugged into. On an HP procurve switch you can have multiple tagged vlans and a single untagged vlan. This would allow you to, for example have a VOIP phone connected to the wall socket using a tagged vlan and a pc ( windoze/osx/linux etc) plugged into the ethernet socket on the phone. You would be able to have multiple VMs all authenticating using mac-auth or dot1x as long as they ended up on the same untagged vlan.

 

With an HP ComWare switch, you can have as many untagged VLANs as you want on the switch port as the ComWare switch does mac address to vlan mapping. With this switch the default is to have a seriously large number of (untagged) vlans on a switch port. As an example, at one point I had

 

1). VOIP phone mac-authing onto an untagged voice vlan

2).OS X dot1x'ing onto another untagged vlan

3). Windows 7 vlan mac-auth'ing onto another untagged vlan

4). and an Ubuntu VM dot1x'ing onto a 4th untagged vlan ..

 

So it does depend on what sort of switch client device is connected to.

 

A

Search Airheads
Showing results for 
Search instead for 
Did you mean: