Security

Hi guys,

Has anybody come up with a way to force a client to authenticate against a macAuth service in the case it failed to authenticate against an 802.1x service ?

Imagine an unknown client connects to the network and has an 802.1x supplicant enabled, but without correct credentials and/or proper settings.

From what I understand, this client would trigger an 802.1x service (if present) then would fail to authenticate and get rejected, without a chance to try MacAuth.

What I would like is this client to be reliably redirected to a MacAuth service.

Maybe by caching something during the 802.1x service ? Or maybe by a combination of NAD config + clever service ordering ?

I'll try to achieve this in a lab, but I also wanted to ask you guys.

Thanks in adavnce 

Cheers

This is 100% dependent on the capability of the NAD. There is nothing ClearPass can do to steer this behavior. I assume you're talking about wired?

Hi,

Yes I was talking wired, NAD is an HP 5130.

I've gone throught some of the docs and to this point I didn't find anything like "If dot1x failed then try MacAuth before setting the port to Unauthorized state".

I still have some testing to do, maybe the switch tries both auth types consecutively anyway (if both are enabled on the port), but I seriously doubt it.

Thanks for the reply

Oh nice ! Didn't see that one, thanks a lot :)