Security

Hello, I am working this solution now. But I have some problem with Clearpass Guest.

I am using the Mikrotik RouterOS as a DHCP Server with Radius option enable. Client get IP Address from DHCP Server when using FreeRadius with Mac Address as username and without password.

 

When I use Clearpass as radius and create a Mac Address as username, it must be include a "password" following Mac Address.

 

And I try to create a device account on Clearpass Guest only Mac Address as username without password. Any idea fot this?

---

@ansonhsu wrote:

Hello, I am working this solution now. But I have some problem with Clearpass Guest.

I am using the Mikrotik RouterOS as a DHCP Server with Radius option enable. Client get IP Address from DHCP Server when using FreeRadius with Mac Address as username and without password.

 

When I use Clearpass as radius and create a Mac Address as username, it must be include a "password" following Mac Address.

 

And I try to create a device account on Clearpass Guest only Mac Address as username without password. Any idea fot this?

---

You add the mac address to the endpoints repository:

 

 

After that, you can save a copy of of the Guest MAC authentication service to Mac authenticate users (make sure you replace Guest SSID Name with the name of your SSID):

Hi cjoseph,

 

Thanks for your reply.

 

The Guest Mac Authentication must have "mac address as username" and "mac address as password" for authentication success.

My problem is how authentication success only via "mac address as username" without password?

---

@ansonhsu wrote:

Hi cjoseph,

 

Thanks for your reply.

 

The Guest Mac Authentication must have "mac address as username" and "mac address as password" for authentication success.

My problem is how authentication success only via "mac address as username" without password?

---

ansonhsu,

 

If you want have a list that only has mac addresses, you would create a static host list:

 

 

To check to see if an incoming device is a member of this list:

 

Let me know if that will work...

Hi cjoseph,

Thanks for your support.

It's work.
But how could I add some radius attribute like "Framed-IP-Address" and "Framed-Netmask" into Static Host Lists "Mac Address" account?

Framed IP address is an IP address, not a Mac address, so you would have to have a list of IP addresses in your list. You probably also would need to have radius accounting enabled to get the IETF:framed IP address parameter to show up.. What are you trying to do?

Hi cjoseph,

 

Let me explain my case.

 

I have a CPPM self-register portal and Clients can regist their device's MAC Address and IP Address in the register form.See Blow,

 

 

Before client get IP Address from DHCP Server, my DHCP server will do "Mac_Auth" with my CPPM.

after authentication successed, CPPM return Radius "Access-Accept" packet include "Framed-IP-Address" attribute to my DHCP Server.

And then my DHCP Server will deliver a "Static IP Address" register from client  to their device.

 

That's what I are trying to do.

 

But I have a problem with Mac_Auth environment now.

 

Because my DHCP server do Mac_Auth to Radius server with "Access-Request" packet format is below,

 

The Username is "Mac Address" but the Password is ""(blank or empty).

So I always got authentication failed(Access-Reject) from CPPM's Mac_Auth.

 

 

Any idea for this case?

 

Thanks your reply again.:smileyhappy: 

 

Is there a solution or a How to? Allow MAC authentication base only in the device MAC Address ?

The guest device repository can be used for this. Add your devices under Create Device on the guest side.

In your MAC authentication service, use [Guest Device Repository] as the authentication source.

It is possible only to use Static Host List? I created one white list but is not letting me add mac-address without colon or Dot. I make it worked like this let me know your comments(if there is a different way). The image is the summary of the Service 

 

You can, but it's not recommended as it does not scale and provides no context.

If you do choose to use them, remove that from the service rules and use the DHL as an authentication source.

What will the Service look like? I dont no what DHL authentication source is, can you advise me?. 

 

P.S: I created a new authentication source named MAC Database to use the Static Host List "MAC-White-List".

Create a new SHL authentication source and then add it as the authentication source for your service.

Use the MAC Authentication service template and use your custom SHL authentication source.

When I used the MAC AUTH template I get this error 

In the Authentication methods I already used Allow All MAC Auth or MAC AUTH and get the same error message 

What NAD are you using?

Dell Switch N2048p

Try using EAP-MD5 as the authentication method.

If I use EAP-MD5 works fine :), any other recommendations for security purposues ? 

Hi Cappalli, 

 

When you use the Guest device repository for MAC authentication, the Authentication Method will be [EAP-MD5] and Authentication Source the [Guest Device Repository] ? 

Depending on the NAD, it will be Allow All MAC-Auth or EAP-MD5 for the method.

Perfect thanks, will test it right away. 

Clearpass is rejecting the device login even dough the device was created and the status is enabled in the Guest device reposiroty, the service pulls the authorization info and assigned the corresponding role but I'm getting this error 

What is the authenticator/network device?

Is a Dell N2048P

Heads up,

 

I use the Guest device repository as an Authorization Source and it started working, in the enforcement profile we compare the account_Status and Remaining_Expiration time to allow acces to the network if the account is still valid. Is possible to fetch more attributes from the tipsdb by default we only get three attibutes? like getting the MAC Address, device name, etc.?

MAC address is available as a computed attribute. Are you looking to use device name in policy or just to see it? You want to avoid pulling data that is not being using in policy for performance reasons.

We will like only to see it, but if impacts performance it can stay the it is right now.

You'll see it either way under the GuestUser context within an access tracker request under Computed Attributes. Device Name is the visitor_name attribute.

Perfect, will use that one, Thanks again for all your help with my question. 

Hi,

Check MAC Authentication with Clearpass and Mikrotik here:

http://community.arubanetworks.com/t5/Foro-en-Espa%C3%B1ol/Mikrotik-con-autenticaci%C3%B3n-802-1x-y-MAC-Address-en-Clearpass/m-p/451893

Regards

Hi,

 

We have similar setup for mac authentication, we use SHL. We use them for iot devices.

How can we automate this process, by allowing users to enter the mac address via a portal and the SHL gets updated?

Also, does aaa override work with mac auth? we want to place the devices based on the device type into different networks.

 

Thanks

rp 

Static Host Lists should not be used. Use Device Registration.

Thanks Tim. Is there any whitepaper or any implementation which already exists that I can refer.

 

Best Regards

RP