Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM Switching WIFI & Wired 802.1X and MAC authentication

This thread has been viewed 5 times

  • 1.  CPPM Switching WIFI & Wired 802.1X and MAC authentication

    Posted Nov 15, 2016 11:04 PM

    Currently I am configuring 802.1X and Mac Authentication in our office wired network. I had been using WIFI 802.1X and Machine Authentication for quite some time. 

     

    Our idea is getting 802.1X and Mac Authenticated will get Internal Access and if only either one get Guest Access.

     

    Problem I encountered is between switching from wireless to wired and vice versa.

     

    Booting up PC with WIFI, I can get Internal IP, plugging cables, sometimes I can still get internal IP but sometimes don't.

    When it fails, relogin the user will work.

    On the other hand, booting up with Wired always work.

     

    Was told from support that relogin is the recommended way but I wonder is this true.

     

    Could someone please help? ><

     

    Thanks.



  • 2.  RE: CPPM Switching WIFI & Wired 802.1X and MAC authentication

    EMPLOYEE
    Posted Nov 15, 2016 11:36 PM
    Are your devices configured for machine auth only or user + machine?


  • 3.  RE: CPPM Switching WIFI & Wired 802.1X and MAC authentication

    Posted Nov 16, 2016 03:12 AM

    User + Machine



  • 4.  RE: CPPM Switching WIFI & Wired 802.1X and MAC authentication

    EMPLOYEE
    Posted Nov 16, 2016 10:11 AM

    There is no way for ClearPass to know that a wired and wireless MAC address belong to the same device. You will need to modify your policies to accomodate this limitation.



  • 5.  RE: CPPM Switching WIFI & Wired 802.1X and MAC authentication

    Posted Nov 16, 2016 10:17 AM
    I added the Wired MAC address to the static host list, when I plug in the cable, it should authenticate right?


  • 6.  RE: CPPM Switching WIFI & Wired 802.1X and MAC authentication

    EMPLOYEE
    Posted Nov 16, 2016 10:35 AM
    Please share some screenshots of your policies. This is not a use case I see
    too often.


  • 7.  RE: CPPM Switching WIFI & Wired 802.1X and MAC authentication

    Posted Nov 16, 2016 11:25 PM

    Please check the screenshot of the configuration.



  • 8.  RE: CPPM Switching WIFI & Wired 802.1X and MAC authentication

    Posted Nov 16, 2016 08:25 PM

    If your clients are setup to do 802.1x on the wired connection then they should perform dot1x first. 

     

    Depending upon how your switch is configured, macauth can be the fallback if dot1x fails.

     

    I think the wired and wireless worlds work the same in terms of Windows behavior:

    If your Windows clients is configured for user+machine then

    • If the user is already signed in when the device attempts to connect, then only user auth is performed.
    • If the device starts from a cold boot, then machine and user is performed.


  • 9.  RE: CPPM Switching WIFI & Wired 802.1X and MAC authentication

    Posted Jun 21, 2019 08:47 AM

    Hello Tim,

     

    Is it possible to get [Machine Authenticated] role bound to the same username that is learned in [Endpoint Repository].

     

    My goal is to have seamless switching from wired to wireless, without the need to reboot / sign out on wireless when user actually already rebooted on wired, and vice versa.

     

    If there's another way to achieve this please let us know.

     

    Authentication Method = EAP-TLS with no Authorization (within the EAP-TLS profile) enabled.