11-15-2016 08:03 PM - edited 11-15-2016 08:04 PM
Currently I am configuring 802.1X and Mac Authentication in our office wired network. I had been using WIFI 802.1X and Machine Authentication for quite some time.
Our idea is getting 802.1X and Mac Authenticated will get Internal Access and if only either one get Guest Access.
Problem I encountered is between switching from wireless to wired and vice versa.
Booting up PC with WIFI, I can get Internal IP, plugging cables, sometimes I can still get internal IP but sometimes don't.
When it fails, relogin the user will work.
On the other hand, booting up with Wired always work.
Was told from support that relogin is the recommended way but I wonder is this true.
Could someone please help? ><
11-16-2016 07:10 AM
There is no way for ClearPass to know that a wired and wireless MAC address belong to the same device. You will need to modify your policies to accomodate this limitation.
11-16-2016 05:25 PM
If your clients are setup to do 802.1x on the wired connection then they should perform dot1x first.
Depending upon how your switch is configured, macauth can be the fallback if dot1x fails.
I think the wired and wireless worlds work the same in terms of Windows behavior:
If your Windows clients is configured for user+machine then
- If the user is already signed in when the device attempts to connect, then only user auth is performed.
- If the device starts from a cold boot, then machine and user is performed.
11-16-2016 08:25 PM