Security

Reply
Occasional Contributor I

Clearpass and Intel AMT

Hi All

 

Apologies if this would be better aimed at Cisco but wondering if anyone has any experience of using CPPM to provide RADIUS authentication for Intel AMT cards via MAB auth.

 

We have a specific scenario where we have devices on our network that present both the normal data NIC and the AMT NIC at the same time, on initial authentication this appears fine and both show auth Authz Success on our switch, after a period of time the AMT NIC then goes to status Authz Failed.

 

Config from our switch and CPPM included below, if it's worth noting we only send one Enforcement Profile back regardless of whether it's a Data NIC or the AMT NIC at the moment and the Data NIC may be 802.1x or MAB authenticated depending on the build on the device.

 

Switch Port Config

 

!
interface FastEthernet0/12
 description VLAN 2 - Auth High Security Mode
 switchport access vlan 2
 switchport mode access
 ip device tracking maximum 4
 no logging event link-status
 authentication control-direction in
 authentication event server dead action authorize vlan 2
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer restart 0
 authentication timer reauthenticate server
 authentication timer inactivity 3600
 authentication violation restrict
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 30
 dot1x timeout tx-period 5
 spanning-tree portfast
end

 

sh auth sess int fa0/12
            Interface:  FastEthernet0/12
          MAC Address:  0023.2438.c288
           IP Address:  10.201.181.12
            User-Name:  host/4990POS0002.BC.JSPLC.NET
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  in
        Authorized By:  Authentication Server
           Vlan Group:  N/A
         Per-User ACL:  permit ip any any
      Session timeout:  43200s (server), Remaining: 18790s
       Timeout action:  Reauthenticate
         Idle timeout:  3600s (local), Remaining: 761s
    Common Session ID:  0ABDB5060000E2FDAFFFFB26
      Acct Session ID:  0x000104AD
               Handle:  0xF6000464

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

----------------------------------------
            Interface:  FastEthernet0/12
          MAC Address:  0023.2438.c289
           IP Address:  10.201.181.12
            User-Name:  00232438c289
               Status:  Authz Failed
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  in
      Session timeout:  N/A
         Idle timeout:  3600s (local), Remaining: 3083s
    Common Session ID:  0ABDB5060000E2FCAFFF8B69
      Acct Session ID:  0x0001046C
               Handle:  0x38000463

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

 CPPM Enforcement Profile

 

Enforcement Profiles - PROFILE-WIRED-STORE-SKINNY-POS

Summary
Profile:
Name:			PROFILE-WIRED-STORE-SKINNY-POS
Description:		Skinny Store POS
Type:			RADIUS
Action:			Accept
Device Group List:	-

Attributes:
 	Type		Name				Value
1.	Radius:IETF	Session-Timeout		=	86400
2.	Radius:IETF	Termination-Action	=	RADIUS-Request (1)
3.	Radius:Cisco	Cisco-AVPair		=	ip:inacl#1=permit ip any any

Thanks,

Matt.

 

 

 

Guru Elite

Re: Clearpass and Intel AMT

Please post the failed access tracker request.  

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Clearpass and Intel AMT

Hi Tim,

 

We don't see any failed auths in CPPM, I've attached the successful entry we see below.

 

Login Status:
ACCEPT
Session Identifier:
R0012f2dd-15-599d7e6a
Date and Time:
Aug 23, 2017 14:08:58 BST
End-Host Identifier:
00-23-24-38-C2-89
 
Username:
00232438c289
Access Device IP/Port:
10.189.181.6:50012
(JS_JS4990-0G-M-01-C296-1 / Cisco)
System Posture Status:
UNKNOWN (100)
 
Policies Used -
Service:
SERVICE-WIRED-MAB-CISCO
Authentication Method:
MAC-AUTH
Authentication Source:
Local:localhost
Authorization Source:
[Endpoints Repository]
Roles:
ROLE-DEVICE-KNOWN, ROLE-LOCATION-STORE-SKINNY, ROLE-POS-STORELINE, [User Authenticated]
Enforcement Profiles:
PROFILE-WIRED-STORE-SKINNY-POS
Service Monitor Mode:
Disabled
Online Status:
Online
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: