Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Error Code 209; No password in request; MAC authentication

This thread has been viewed 41 times

  • 1.  Error Code 209; No password in request; MAC authentication

    Posted Apr 02, 2014 12:36 AM

    Hi,

     

    I am trying to configure MAC authentication with Juniper EX switch. But, I keep getting "No password in request" message in clearpass. Configuration on the switch is enabled for MAC RADIUS authentication.

     

    Thanks.

    Suresh



  • 2.  RE: Error Code 209; No password in request; MAC authentication

    Posted Apr 02, 2014 02:38 AM

    For MAC auth, Clearpass normally expects the username to be in the request in the password field also.

     

    If the Juniper switch isn't doing that, and you can't make it do it, you'll probably have to adjust your mac-auth policy or create another that doesn't look at the password field.

     



  • 3.  RE: Error Code 209; No password in request; MAC authentication

    Posted Apr 30, 2014 01:27 AM

    Do I need to adjust the clearpass profile?
    If you need to adjust if ClearPass, ClearPass should I support in any way ..?



  • 4.  RE: Error Code 209; No password in request; MAC authentication

    Posted May 06, 2014 07:42 AM

    for juniper i needed to add the MD5 authentication method instead of MAC auth (even with MAC auth configured on the juniper)



  • 5.  RE: Error Code 209; No password in request; MAC authentication

    Posted Feb 18, 2015 02:25 AM

    Sorry to dig up an old thread everyone, but i'm also experiancing this issue exactly as described.

     

    Other than enabling md5 as an authentication method, how can you configure ClearPass to not look at the password field? i've tried multiple combinations found on these forums but cannot seem to get this to work!

     

    Thanks in advance!



  • 6.  RE: Error Code 209; No password in request; MAC authentication

    EMPLOYEE
    Posted Feb 18, 2015 02:38 AM
      |   view attached

    If its juniper then I believe it is your only option. I did get this a while back but never had a chance to test.

     

    "I ran into this with Juniper a year ago. Working with tech, came up with the attached Auth source (rename to XML file).

     

    Don’t know what the “appuser” password is for connecting to SQL so you may have to change it."

     

    See attached or create a file named : Juniper_MAC_AuthSource.xml

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Wed Aug 15 15:22:55 CDT 2012" version="5.1"/>
  <AuthSources>
    <AuthSource description="Authenticate MAC addresses against local db" name="Juniper MAC Auth" isAuthorizationSource="true" type="Sql">
      <NVPair value="36000" name="cache_timeout"/>
      <NVPair value="tipsdb" name="db_name"/>
      <NVPair value="localhost" name="server"/>
      <NVPair value="appuser" name="login"/>
      <NVPair value="PostgreSQL" name="sql_driver"/>
      <NVPair value="" name="password"/>
      <NVPair value="10" name="timeout"/>
      <Filters>
        <Filter paramValues="" filterQuery="SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
" filterName="Authentication"/>
        <Filter paramValues="" filterQuery="SELECT t1.status, (case when t2.device_family is NULL then False else True end) as is_profiled  FROM tips_endpoints t1 LEFT OUTER JOIN tips_endpoint_profiles t2 ON (t1.mac_address = t2.mac) WHERE t1.mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}')" filterName="Status">
          <Attributes>
            <Attribute isUserAttr="false" isRole="false" attrDataType="String" aliasName="Status" attrName="status"/>
            <Attribute isUserAttr="false" isRole="false" attrDataType="String" aliasName="IsProfiled" attrName="is_profiled"/>
          </Attributes>
        </Filter>
        <Filter paramValues="" filterQuery="SELECT t1.status, (case when t2.device_family is NULL then False else True end) as is_profiled  FROM tips_endpoints t1 LEFT OUTER JOIN tips_endpoint_profiles t2 ON (t1.mac_address = t2.mac) WHERE t1.mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}')" filterName="Profile">
          <Attributes>
            <Attribute isUserAttr="false" isRole="false" attrDataType="String" aliasName="MAC Vendor" attrName="mac_vendor"/>
            <Attribute isUserAttr="false" isRole="false" attrDataType="String" aliasName="Category" attrName="device_category"/>
            <Attribute isUserAttr="false" isRole="false" attrDataType="String" aliasName="OS Family" attrName="device_family"/>
            <Attribute isUserAttr="false" isRole="false" attrDataType="String" aliasName="Device Name" attrName="device_name"/>
          </Attributes>
        </Filter>
      </Filters>
    </AuthSource>
  </AuthSources>
</TipsContents>

     

    Attachment(s)

    txt
    Juniper_MAC_AuthSource.xml.txt   2 KB 1 version


  • 7.  RE: Error Code 209; No password in request; MAC authentication

    Posted Feb 18, 2015 03:54 AM

    Thanks Troy, I'll give it a shot and let you know how it goes.



  • 8.  RE: Error Code 209; No password in request; MAC authentication

    Posted Nov 07, 2016 09:12 AM

    Hi!

     

    Did the above solve your issue? I´m having the exact same thing.

     

    Cheers,



  • 9.  RE: Error Code 209; No password in request; MAC authentication

    Posted Aug 15, 2018 02:17 PM

    We are seeing this same error years later, was a resolution ever found?



  • 10.  RE: Error Code 209; No password in request; MAC authentication

    Posted May 30, 2019 06:18 PM

    Was anyone able to get the above solution to work? I'm also seeing issues with MAC address authentication working on Juniper switches if (and only IF) the devices are listed in the Guest Device repository.

     

    I imported the XML config listed above for the auth source and used appexternal account to read the tipsdb but still wasn't able to get this working.



  • 11.  RE: Error Code 209; No password in request; MAC authentication

    Posted May 30, 2019 06:28 PM

    I was actually able to get this working w/ TAC's help. The solution was to change the Authentication filter on the [Guest Device Repository] source to use the following query:

     

    I think this is a slightly different issue from what was described in the original thread post but I wanted to post here to document the solution.

     

    SELECT lower(regexp_replace(user_credential(password), '-', '', 'g')) AS User_Password,
       CASE WHEN enabled = FALSE THEN 225
            WHEN ((expire_time is not null AND expire_time <= now())) THEN 226
            ELSE 0
       END AS Account_Status, sponsor_name,
       CASE WHEN expire_time > now() THEN CAST(EXTRACT(epoch FROM (expire_time - NOW())) AS INTEGER)
            ELSE 0
       END AS remaining_expiration
FROM tips_guest_users
WHERE ((guest_type = 'DEVICE') AND (user_id = '%{Connection:Client-Mac-Address-Hyphen}'))


  • 12.  RE: Error Code 209; No password in request; MAC authentication

    Posted May 30, 2019 08:11 PM

    Glad you got it working. I've ran into a similar situation using Meru/FortiWifi. The controller, by default, sends the shared secret (WTH?) instead of the MAC address as the password. I beat my head against the wall for awhile before I started a wireshark capture and decrypted the packets. 

     

    Found that there is indeed a setting to change the password to the MAC address.

     



  • 13.  RE: Error Code 209; No password in request; MAC authentication

    Posted Oct 24, 2019 02:41 AM

    I have met with the same problem at Juniper switches ex2200-48p-4g. I got this error 209 with set 802.1x MAC address bypass. I experimentally found that it works if PAP protocol is set at Juniper switch.

     

    Working Juniper switch config for 802.1x MAC address bypass:

        set protocols dot1x authenticator interface ge-0/0/44.0 mac-radius restrict
       set protocols dot1x authenticator interface ge-0/0/44.0 mac-radius authentication-protocol pap

     

    It depends on the SW version of the switch as some older version does not support PAP protocol.

    It is not possible to set PAP protocol:

       Model: ex2200-48p-4g
       JUNOS Base OS Software Suite [12.3R9.4]

    It is possible to set PAP protocol:

       Model: ex2200-48p-4g
       Junos: 15.1R6.7

     

    Description of this Junmiper command: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/authentication-protocol-edit-mac-radius.html



  • 14.  RE: Error Code 209; No password in request; MAC authentication

    Posted Feb 25, 2020 01:30 PM

    Hi

     

    I hade the same error with MAC Authentication on Juniper EX3400 Switches. I had to enable “Mac Radius Authentication Protocol: EAP-MD5” on the interfaces. (It was not enabled by default)

    I had to add EAP MD5 and remove Mac Auth in the ClearPass Service under Authentication Methods



  • 15.  RE: Error Code 209; No password in request; MAC authentication

    Posted Sep 21, 2022 01:51 AM
    Hi,

    Does adding PAP to the mix pose a security risk? I'm using EAP-MD5 and I get timeouts, only very occasionally, that show the mac radius restrict says there's no password, so it needs to do an EAP-MD5 challenge. This (again occasionally) times out after about 40 seconds.

    If I only change the mac auth authentication to be PAP on the switch, I bypass the EAP challenge issue. I will get a trace from ClearPass to see what actual packets are being exchanged. But what do you think?

    My boss worries about security. The other question is can I set a switch-wide mac auth password? It seems like the "no password" thing is actually a no password thing.

    Tnx,
    Ambi

    ------------------------------
    Ambidexter
    ------------------------------

    Original Message


  • 16.  RE: Error Code 209; No password in request; MAC authentication

    EMPLOYEE
    Posted Sep 21, 2022 09:46 AM
    MAC addresses are easily spoofable anyway, and because there is nothing more than the MAC address, it does not even make sense to send a password (which EX apparently does by default). Most other switches send out an authentication (PAP or CHAP I believe) with both username and password set to the client's mac address.

    Your RADIUS traffic should go over a more or less secured or trusted network anyway as there is no / weak encryption in the RADIUS protocol that is from the previous century, and has that time's security. You may consider RadSec to encrypt all your RADIUS traffic, but for MAC authentication I would rate that overkill in most cases.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message