Security

Question in a nutshell: Is it possible to perform MACAuth in CPPM when the password in the auth request != MAC address?

---

CPPM 6.2.2.56621

 
Goal: Once a wired 802.1x user has successfully authenticated, cache their MAC address indefinitely for subsequent MAC auth. 

Why: If a wired 802.1x user puts computer to sleep, port flaps once clearing 802.1x session.  Switch then attempts MAC auth every 30 seconds until computer wakes up.  Thousands of computers * 1 attempt every 30 seconds = (whoa) log filler. :(

Problem:  MAC cacheing is working as expected (802.1x enforcement profile adds specific tag to endpoint attribute that I use for role matching during MAC auth), but when switch attempts MAC auth, it sends the same/static password for ALL mac addresses.  But because CPPM's MAC AUTH modules expects the password = MAC address in the radius request, it fails authentication checks.

MAC-AUTH: Password in request doesn't match username. Not attempting MAC authentication
Cannot select appropriate authentication method

I'm *so* close if I can just get the MacAuth password issue cleared up.  Other notes...

• I can't configure the switch to send the MAC address as the password. :(
• Custom auth method & specify a static password for MAC auth?
• Or, duplicate [EndPoint...] source but modify "SELECT mac_address AS User_Password"...?

Couple of questions:

• What type of switch are you using?
• Why is the port trying to do MAC Auth if the computer is asleep?
• Do you need MAC Auth on those ports if they are capable of 802.1X?

It is common for switches (or wireless controllers) to send the MAC as both the username and password; this is not something unique to CPPM.

Thanks for the reply, clembo.  Responses below...

>What type of switch are you using?
Mostly Enterasys C3/C5 stack switches

>Why is the port trying to do MAC Auth if the computer is asleep?

Wake on LAN. When the workstations go to sleep, the integrated NIC renegotiates to a lower speed (usually 100M-FD)  so the system can still do WOL.  The renegotiation causes the port to flap, terminating the 802.1x session.  The system is incapable of doing 802.1x while in sleep, and the switch begins attempting MAC auth generating tons of failed login attempts.

>Do you need MAC Auth on those ports if they are capable of 802.1X?
I want to avoid only enabling MAC auth on specific ports, so yes.  We're a University, non-802.1x-capable devices move around constantly. 

>It is common for switches (or wireless controllers) to send the MAC as both the username and password; this is not something unique to CPPM.
Yup, I know.  I'm looking for a workaround in CPPM because it's flexible.

OK, I understand now with regards to Enterasys.  I am not sure there is anything that can be done about the "password" for MAC devices on CPPM.   How are you caching the MAC in CPPM?  Just in the Endpoint DB?   If you don't mind, can you share what your Mac Auth Service looks like; service rules, authentication type, authentication source, roles, and enforcement.

Lastly, can you consider increasing the macauthentication portquietperiod to increase the time between failed mac authentications?   If a MAC fails, there is no sense for it to retry every 30 seconds.  May not be ideal, but just a thought.

set macauthentication portquietperiod X ge.x.x

I adjusted the mac auth quiet period to 90 seconds which is working well to reduce log clutter.  Not sure why I didn't do that sooner... Thanks for the suggestion.

I'm caching the MAC in CPPM's endpoint database using a modified clone of the "Update Endpoint Known" enforcement policy.  I chose the "Sponsor Name" attribute and set it to "802.1x".  Then, in my mac auth service, I'm just checking for that attribute.  It's all beta for now, so things are left simple.

I've attached a pdf that has some more info how I configured things.  I threw it together *very* quickly, so please don't expect much. :)

--

As a workaround for the mac password issue...  Do you think it work to use the Endpoint Context Servers to inform a script listening on HTTPS of valid MACs?  If so, then the script could create my MAC accounts in a db however my Enterasys switches need them, and I can proxy wired MAC Auth attempts from CPPM to a FreeRadius server pointed at this MAC database. A little more complex, but should work in theory...

Attachment(s)

Aruba 8021x-maccache-steps.pdf   193 KB 1 version

Did you ever get the static mac auth password figured out? I don't have enterasys switches but  I think you might be able to do this with a custom query

I am working on a similar solution that will allow domain computers to be authenticated via mac-auth if they have been authenticated with 802.1x within a certain time-frame. 

sdr53 - That's what I originally tried (and gave up) to do, but your comment made me realize I was making it waaaaaay more difficult than necessary. Long story short, I was trying to perfectly duplicate the EndPoint DB source but only modify the password. I tried different way this morning and after a few tweaks, it's working. (!)

Here's a very brief overview of what I did to get it working:

1. Create generic SQL source  pointed to tipsdb (Configuration ->  Authentication -> Sources)
2. In attributes tab of new source, add a filter with following:
   
   Filter name = Authentication
   
   Filter Query = SELECT 'STATICPW' AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND status = 'Known'
   
   (change STATICPW to static value you receive from switch)
   
   
3. Back in your service, use PAP as the method, the newly created source as your authentication source, and bam.  You're done.

I'm going to play around with this some more and see how far I can take this, but so far so good.  Thanks for the idea!

Bingo!,   Glad I could point you in the correct direction.  :-).