Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass mac auth over oracle database

This thread has been viewed 0 times

  • 1.  ClearPass mac auth over oracle database

    Posted Jul 22, 2015 03:52 AM
      |   view attached

    Hello,

    I'm trying to configure ClearPass with mac auth over oracle db.

    ClearPass get a vlan from oracleserver and sends it to the switch.

    It works if the MAC address exists in the database (CP says ACCEPTED and the switch get this vlan)

    But when the MAC address does not exists CP says anyway ACCEPTED.

    Does anyone have an idea how to reject unknown MACs?

    Services.png

    Sources.png

    Profiles.png

    Policies.png

    Access_Tracker.png

    Attachment(s)

    zip
    archive.zip   376 KB 1 version


  • 2.  RE: ClearPass mac auth over oracle database

    EMPLOYEE
    Posted Jul 22, 2015 09:36 AM

    If you have a mac authentication method, you need to make sure "Allow unknown End-Hosts" is unchecked.

     

    mac-auth.JPG



  • 3.  RE: ClearPass mac auth over oracle database

    Posted Jul 23, 2015 02:28 AM

    Thank you for response, but it is not helped

     

    I use [Allow All MAC AUTH] where "Allow unknown End-Hosts" default enabled.

    By using [MAC AUTH] instead, I get an authentication failure (Error Code 216) even from the client which MAC is already existing in the oracle database

     

    2015-07-23 06:51:50,613 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 148:98:00085d21e137
2015-07-23 06:51:50,621 	[RequestHandler-1-0x7fc88c9e4700 r=psauto-1420542151-42596 h=223 r=R00002253-01-55b072e6] INFO Core.ServiceReqHandler - Service classification result = Wired_MAC_Authentication
2015-07-23 06:51:50,623 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "Wired_MAC_Authentication"
2015-07-23 06:51:50,623 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] INFO RadiusServer.Radius - rlm_sql: searching for user 00085D21E137 in Sql:oracleserver
2015-07-23 06:51:50,637 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] ERROR RadiusServer.Radius - rlm_sql (authsrc_3003): Error getting data from database
2015-07-23 06:51:50,637 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] ERROR RadiusServer.Radius - rlm_sql (authsrc_3003): SQL query error; rejecting user
2015-07-23 06:51:50,637 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] INFO RadiusServer.Radius - rlm_macauth: Rejecting MAC auth request from Unknown/Disabled client
2015-07-23 06:51:50,637 	[Th 43 Req 10375 SessId R00002253-01-55b072e6] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.

     

    PS: I forgot to mention that Policy Manager version is 6.3.6



  • 4.  RE: ClearPass mac auth over oracle database

    EMPLOYEE
    Posted Jul 23, 2015 11:32 PM

    What format are the MAC addresses stored in your database?



  • 5.  RE: ClearPass mac auth over oracle database

    Posted Jul 24, 2015 12:50 AM

    Hi Tim,

     

    AB CD EF 12 34 56 and in Authentication/Sources/Oracle I use a Filter to convert it to

    AB:CD:EF:12:34:56 that corresponds to Connection:Client-Mac-Address-Colon (shown in Sources.png above)

     

    This works quite well- I get a proper vlan to MAC if the MAC address exists in the database and will be ACCEPTED.

    The issue is when the MAC does not exist in the database I get ACCEPTED anyway (Access_Tracker.png)