Security

Reply
New Contributor
Posts: 4
Registered: ‎11-15-2016

CPPM Switching WIFI & Wired 802.1X and MAC authentication

[ Edited ]

Currently I am configuring 802.1X and Mac Authentication in our office wired network. I had been using WIFI 802.1X and Machine Authentication for quite some time. 

 

Our idea is getting 802.1X and Mac Authenticated will get Internal Access and if only either one get Guest Access.

 

Problem I encountered is between switching from wireless to wired and vice versa.

 

Booting up PC with WIFI, I can get Internal IP, plugging cables, sometimes I can still get internal IP but sometimes don't.

When it fails, relogin the user will work.

On the other hand, booting up with Wired always work.

 

Was told from support that relogin is the recommended way but I wonder is this true.

 

Could someone please help? ><

 

Thanks.

Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: CPPM Switching WIFI

Are your devices configured for machine auth only or user + machine?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 4
Registered: ‎11-15-2016

Re: CPPM Switching WIFI

User + Machine

Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: CPPM Switching WIFI

There is no way for ClearPass to know that a wired and wireless MAC address belong to the same device. You will need to modify your policies to accomodate this limitation.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 4
Registered: ‎11-15-2016

Re: CPPM Switching WIFI

I added the Wired MAC address to the static host list, when I plug in the cable, it should authenticate right?
Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: CPPM Switching WIFI

Please share some screenshots of your policies. This is not a use case I see
too often.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor II
Posts: 374
Registered: ‎09-05-2012

Re: CPPM Switching WIFI

If your clients are setup to do 802.1x on the wired connection then they should perform dot1x first. 

 

Depending upon how your switch is configured, macauth can be the fallback if dot1x fails.

 

I think the wired and wireless worlds work the same in terms of Windows behavior:

If your Windows clients is configured for user+machine then

  • If the user is already signed in when the device attempts to connect, then only user auth is performed.
  • If the device starts from a cold boot, then machine and user is performed.
New Contributor
Posts: 4
Registered: ‎11-15-2016
Search Airheads
Showing results for 
Search instead for 
Did you mean: