Security

Hi!

I´m setting up 802.1x for employees and mac-auth for profiling and guestaccess on wired ports on a aruba 2920 switch with clearpass.

Been using "Wired Policy Enforcement solution guide", excelent guide btw.

I´ve setup a service for mac auth (allow all mac) and a service for 802.1x.

It´s working fine in practice from what I can see in my lab right now.But I´m a bit worried since I´m seeing some mac-auths hitting the mac-auth service alongside the 802.1x service at almost the same time for my 802.1x configured client.

I´ve tried changing quiet-period for mac auth on the port, but makes no difference.

Is this normal ? It doesnt seem to affect the client, it stays on the employee network all the time. mac-auth does send out captiveportal for the client since it doesnt fit any guestroles in the mac service, but the correct 802.1x vlan seems to stay the same on the switch regardless. But I want to be sure before going forwards with deployment.

oh, and I´m not using user-roles right now, Im using dynamically assigned vlans (via radius responses).

Bump.

Anyone know if this is expected behavior ?

As I said for every client auth time I get both mac and 802.1x roughly at the same time:

Just want to make sure it is the way it´s supposed to work in this case.

ok, thank you for the clarification. So I assume this wont affect the client because 802.1x auth always has higher priority on the switch than mac?

So the only downside is a bit of more traffic.

ok, thank you so much for the answers.

I´ve got a question on this. I wonder if Aruba/HPE are planning to introduce something similar to the authentication order/authentication priority cisco commands

Regards,

Kevin

Will do. Thanks!