Security

Reply
Occasional Contributor I

CPPM - Enforcing MacAuth if 802.1x fails ?

Hi guys,

 

Has anybody come up with a way to force a client to authenticate against a macAuth service in the case it failed to authenticate against an 802.1x service ?

 

 

Imagine an unknown client connects to the network and has an 802.1x supplicant enabled, but without correct credentials and/or proper settings.

From what I understand, this client would trigger an 802.1x service (if present) then would fail to authenticate and get rejected, without a chance to try MacAuth.

 

What I would like is this client to be reliably redirected to a MacAuth service.

Maybe by caching something during the 802.1x service ? Or maybe by a combination of NAD config + clever service ordering ?

 

I'll try to achieve this in a lab, but I also wanted to ask you guys.

 

Thanks in adavnce 

 

Cheers

Guru Elite

Re: CPPM - Enforcing MacAuth if 802.1x fails ?

This is 100% dependent on the capability of the NAD. There is nothing ClearPass can do to steer this behavior. I assume you're talking about wired?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: CPPM - Enforcing MacAuth if 802.1x fails ?

Hi,

 

Yes I was talking wired, NAD is an HP 5130.

 

I've gone throught some of the docs and to this point I didn't find anything like "If dot1x failed then try MacAuth before setting the port to Unauthorized state".

I still have some testing to do, maybe the switch tries both auth types consecutively anyway (if both are enabled on the port), but I seriously doubt it.

 

Thanks for the reply

Guru Elite

Re: CPPM - Enforcing MacAuth if 802.1x fails ?

Did you look at the Solution Guide for Wired Policy Enforcement? It covers the HPE 5130 in great detail.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: CPPM - Enforcing MacAuth if 802.1x fails ?

Oh nice ! Didn't see that one, thanks a lot :)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: