Security

Reply
Occasional Contributor I

802.1x - Identity MAC caching

hi,

 

I have a question that has driven me crazy for a few days ...
The title could be - credential caching in 802.1x (PEAP - MSCHAPV2)

The authentication model has to be 802.1x - for all types of mobile devices so I use PEAP.

The users reside in an external LDAP and the clearpass is already consulting it without problems. In principle all good.

The issue is that there are devices that perform radius: request every few minutes - I suppose it's because of roaming problems between APs. Whenever a change of AP occurs - a radius authentication request is generated

Do you think of any way to locally cache the identity of the client device, for example through the MAC address tuple and user name, to verify the existence of locally established session?

This does not progress requests to the LDAP.

 

I'm trying to store the Radius value: IETF: Calling-Station-Id in some local table (although I assume the known MAC addresses will be querible) and then - BEFORE Normal Authentication - check this table and compare it with the value new connection MAC device... it's very difficult to me.

 

Realy thanks - i know that not have to be easy

Guru Elite

Re: 802.1x - Identity MAC caching

No, this is not feasible as its not the way the protocol is built. What you're seeing is normal. Clients that support fast reconnect will not require a full authentication on every roam event. FR is enabled by default in ClearPass.

 

It's not exactly clear what issue you're seeing.

 

Another option is to consider using a more modern authentication method like EAP-TLS that has a lower dependency on the identity store.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: 802.1x - Identity MAC caching

Thanks for your quick response

 

What I'm seeing is that - some specific devices - iphones, very specific linux, ... make an average of 60 radius requests every hour. All this requests are moved to the LDAP which already has a considerable workload. I would like to avoid this since these devices have already been authenticated and have a 14 hour session ...

Guru Elite

Re: 802.1x - Identity MAC caching

AFAIK, iOS doesn't support Fast Reconnect. Your best bet would be to move away from legacy EAP methods like PEAP and over to EAP-TLS.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: 802.1x - Identity MAC caching

This way is totally discarded - due to the nature of the scenario - thousands of customers ...

 

Do you really think that you can not "store" part of an established connection information and that this authentication method is the initial of the devices when they connect to the wifi (802.1x) avoiding to use the user and password?

 

You do not know how I thank you for your opinion - thank you very much

Guru Elite

Re: 802.1x - Identity MAC caching

That is essentially the premise of Fast Reconnect but not all devices support it.

What you're describing is not possible within the protocols that are in use.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: 802.1x - Identity MAC caching

Thanks for your opinion - now that I start to see it with more prespectiva it makes all sense what you say.

 

I suppose that in this sense EAP-TTLS would not solve anything.

Guru Elite

Re: 802.1x - Identity MAC caching

EAP-TLS, not EAP-TTLS.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: 802.1x - Identity MAC caching

If I understood you correctly ... you proposed EAP-TLS (not EAP-TTLS) but for the scenario creating a certificate to each user would require a very large deployment - not viable.

 

EAP-TTLS has a functional architecture very similar to EAP-PEAP so it would not solve anything when the possibility of caching identities that avoid complete authentication. It is right?

Guru Elite

Re: 802.1x - Identity MAC caching

Yes, certificate-based authentication is standard and always recommended, no matter the size of the environment.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: