Security

Reply
Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Clearpass 6.3.1 only receiving the MAC address of a Wired computer

Am I missing some small step as to what transports the Radius credentials over the wire? I have a computer plugged into a 2500 mobility switch, with the port set to tunneled. I then have a AAA profile on the controller that directs toward the clearpass server. 

 

I see in the Access Tracker that a MAC that is my NIC card is being rejected by the Service I have setup to authenticate. This is happening I assume because it is coming through as a MAC and not a radius authentication. 

 

Is there someone that has some example of what the AAA profile should look like? I am assuming that's where it falls short. 

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Clearpass 6.3.1 only receiving the MAC address of a Wired computer

Do you have an 802.1X profile and server-group specified in your AAA profile? 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Re: Clearpass 6.3.1 only receiving the MAC address of a Wired computer

I have the profile set to Default. 

I just tried turning MAC Authentication to N/A and that seems to have stopped it from being rejected by the service I setup. However, it now "accept" it in another service by the MAC. 

 

 

 

 

Attached is a clip of the AAA profile.

 

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Clearpass 6.3.1 only receiving the MAC address of a Wired computer

Did you use the service wizard to create an 802.1X wired service? 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Re: Clearpass 6.3.1 only receiving the MAC address of a Wired computer

There is a Wizard? I just went under Configuration > Services > Add

 

I've attached a clip of the Service Created. 

 

I'm really just trying to proof of concept before I start including a lot of rules. 

 

We have 2 Domains that we authenticate to, I don't know if that could add to this issue.

Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Re: Clearpass 6.3.1 only receiving the MAC address of a Wired computer

Perhaps I don't fully understand the concept. Is it possible to use domain credentials that you log into a machine with and have those passed through to the Radius server?

 

 

I'm thinking about it and I suppose we make users type in their username and password to access our wireless.

 

I started thinking down this path because when I open a browser now I I get a "Web Authentication is disabled." message. 

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Clearpass 6.3.1 only receiving the MAC address of a Wired computer

So it sounds like your users are getting dumped into a role with a captive portal. 

 

On Windows you need to enabled the Wired 802.1X service. It is disabled by default. Once that is done, on Windows 7 it will automatically try machine auth at the login screen and change to user auth when it reaches the desktop. 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Re: Clearpass 6.3.1 only receiving the MAC address of a Wired computer

I don't know why I didn't think about needing to enable 802.1x authentication but  that surely hadn't crossed my mind. 

 

Once I enabled 802.1x on my machine, 802.1x authentication began to work. (who would have thought?)

 

 

For anyone else that may also run into this issue. Here is how to enable 802.1x Authentication for Windows.

 

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Clearpass 6.3.1 only receiving the MAC address of a Wired computer

If you are doing this on a large scale, you can enable the service and also configure authentication settings via Group Policy. 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Re: Clearpass 6.3.1 only receiving the MAC address of a Wired computer

That was my first thought when I saw that it was just a service that needs to be enabled. 

 

Thanks for the help!

Search Airheads
Showing results for 
Search instead for 
Did you mean: