Security

Reply
Occasional Contributor II

How do I do Mac authentication with ClearPass?

Hello, I am working this solution now. But I have some problem with Clearpass Guest.

I am using the Mikrotik RouterOS as a DHCP Server with Radius option enable. Client get IP Address from DHCP Server when using FreeRadius with Mac Address as username and without password.

 

When I use Clearpass as radius and create a Mac Address as username, it must be include a "password" following Mac Address.

 

And I try to create a device account on Clearpass Guest only Mac Address as username without password. Any idea fot this?

Guru Elite

Re: How do I do Mac authentication with ClearPass?


ansonhsu wrote:

Hello, I am working this solution now. But I have some problem with Clearpass Guest.

I am using the Mikrotik RouterOS as a DHCP Server with Radius option enable. Client get IP Address from DHCP Server when using FreeRadius with Mac Address as username and without password.

 

When I use Clearpass as radius and create a Mac Address as username, it must be include a "password" following Mac Address.

 

And I try to create a device account on Clearpass Guest only Mac Address as username without password. Any idea fot this?


You add the mac address to the endpoints repository:

 

endpoints.PNG

 

After that, you can save a copy of of the Guest MAC authentication service to Mac authenticate users (make sure you replace Guest SSID Name with the name of your SSID):macauth.PNG



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: How do I do Mac authentication with ClearPass?

Hi cjoseph,

 

Thanks for your reply.

 

The Guest Mac Authentication must have "mac address as username" and "mac address as password" for authentication success.

My problem is how authentication success only via "mac address as username" without password?

Guru Elite

Re: How do I do Mac authentication with ClearPass?


ansonhsu wrote:

Hi cjoseph,

 

Thanks for your reply.

 

The Guest Mac Authentication must have "mac address as username" and "mac address as password" for authentication success.

My problem is how authentication success only via "mac address as username" without password?


ansonhsu,

 

If you want have a list that only has mac addresses, you would create a static host list:

 

statichostlist.PNG

 

To check to see if an incoming device is a member of this list:

roles.PNG

 

Let me know if that will work...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: How do I do Mac authentication with ClearPass?

Hi cjoseph,

Thanks for your support.

It's work.
But how could I add some radius attribute like "Framed-IP-Address" and "Framed-Netmask" into Static Host Lists "Mac Address" account?
Guru Elite

Re: How do I do Mac authentication with ClearPass?

Framed IP address is an IP address, not a Mac address, so you would have to have a list of IP addresses in your list. You probably also would need to have radius accounting enabled to get the IETF:framed IP address parameter to show up.. What are you trying to do?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: How do I do Mac authentication with ClearPass?

Hi cjoseph,

 

Let me explain my case.

 

I have a CPPM self-register portal and Clients can regist their device's MAC Address and IP Address in the register form.See Blow,

Self-Register.JPG 

 

Before client get IP Address from DHCP Server, my DHCP server will do "Mac_Auth" with my CPPM.

after authentication successed, CPPM return Radius "Access-Accept" packet include "Framed-IP-Address" attribute to my DHCP Server.

And then my DHCP Server will deliver a "Static IP Address" register from client  to their device.

 

That's what I are trying to do.

 

But I have a problem with Mac_Auth environment now.

 

Because my DHCP server do Mac_Auth to Radius server with "Access-Request" packet format is below,

dhcp_access-request.JPG

 

The Username is "Mac Address" but the Password is ""(blank or empty).

So I always got authentication failed(Access-Reject) from CPPM's Mac_Auth.

 

 

Any idea for this case?

 

Thanks your reply again.:smileyhappy: 

 

Frequent Contributor I

Re: How do I do Mac authentication with ClearPass?

Is there a solution or a How to? Allow MAC authentication base only in the device MAC Address ?

Guru Elite

Re: How do I do Mac authentication with ClearPass?

The guest device repository can be used for this. Add your devices under Create Device on the guest side.

In your MAC authentication service, use [Guest Device Repository] as the authentication source.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: How do I do Mac authentication with ClearPass?

It is possible only to use Static Host List? I created one white list but is not letting me add mac-address without colon or Dot. I make it worked like this let me know your comments(if there is a different way). The image is the summary of the Service Service.JPG

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: