Security

Reply
New Contributor

Domain check fails as username sent as mac address

We have configured Clearpass to do both User and Machine Authentication. If the end devices are domain machines and user is successfully authenticated then it is given full access. If the end device is not a domain machine, then it is put in a VLAN which will allow it to be joined into the domain.

 

The problem is that the machine when connecting to network sends both mac address as well as domain\user as the username. The domain check fails when the username is mac address and the machine is put into the domain join VLAN inspite of the machine being in the domain. I get the following alert for these machines.

RADIUSSV_PrimaryDomainController - 172.31.0.25: User not found.
EAP: Client doesn't support configured EAP methods

Since the order in which the username is passed to clearpass is random, the machines are randomly put into Domain Join VLAN. All machines send both mac address as well as domain/user as username but the order is random.

 

Is there a way that I can ignore the username being send as mac address and only consider the request where the username is in the format domain/username?

 

There are non-dot1x devices like printer in the network which are allowed access to network without the domain check.

Aruba Employee

Re: Domain check fails as username sent as mac address

You will see MAC address as username only with the MAC authentication.

 

Can you please explain more about your setup?


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
New Contributor

Re: Domain check fails as username sent as mac address

Hi,

 

We are having Cisco SG300 switches as access switches. The Cisco SG300 switches are configured for both 802.1X as well as MAC authentication as there are non-dot1x equipments like Printers and Access Points connected to the same switches and we want to use the Mac Authentication Bypass for these devices.

 

Since the switch sends the required authentication details for 802.1X enabled devices through 802.1X, I want to ignore the MAC address being sent as username for these devices. Since the Clearpass Service sees these MAC address being sent as username subsequent to the username being sent as domain/user, it causes the end device to be moved to the Domain join VLAN eventhough the end device is already in Domain. Also sometimes the MAC address as username arrives prior to the username as domain/user.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: