Security

Reply
Frequent Contributor I
Posts: 99
Registered: ‎08-05-2013

MAC Auth Issues

Using a Cisco 3750x and a test laptop with 802.1x authentication off.  Trying to get ClearPass to allow access via MAC Authentication.  Created a Service with the following parameters:

 

Service Tab

Type = Connection, Name = Client-MAC-Address-NoDelim, Operator = EQUALS, Value = %{RADIUS:IETF:User-Name}

Type = Radius:IETF, Name = NAS-Port-Type, Operator = EQUALS, Value = Ethernet (15)

Type = Radius:IETF, Name = Service-Type, Operator = EQUALS, Value = Call-Check (10)

 

Authentication Tab

Authentication Method = [Allow All MAC AUTH]

Authentication Sources = [Endpoints Repository][Local SQL B]

 

Authorization Tab

Additional authorization.... = [Endpoints Repository][Local SQL DB]

 

Roles Tab

-NONE-  We are not using roles.  Just a basic allow/deny.  The VLAN configured on the switchport will be used for VLAN assignment.  

 

Enforcement Tab

Default Profile = [Deny Access Profile]

Rules Evaluation Algorithm = first-applicable

Conditions = Authorization:[Endpoints Repository]:Category EQUALS Computer  AND

                     Authorization:[Endpoints Repository]:Status EQUALS Known

Enforcement Profiles = [Allow Access Profile]

 

Profiler Tab

Endpoint Classification = Any Category/OS Family/Name

RADIUS CoA Action = [Cisco - Terminate Session]

 

Here is how the Cisco switch port is configured:

interface GigabitEthernet1/0/1
switchport access vlan 29
switchport mode access
switchport voice vlan 129
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast
end

 

With all of that configured, the laptop does not get on the network.  Access tracker shows the following: 

Access Tracker.JPG 

 

 

This makes sense because the Service is set to look for the Category of "Computer" and a Status of "Known" in the Endpoints DB.  However, ClearPass will not fully profile the device so that it can be classifiied as a Computer.  The Profiled status is 'no'. 

 

endpoints.JPG

 

What am I missing here?  Why won't ClearPass profile this device? Once profiled it should get on with no problems, but getting to this point has been quite challenging.  What is the flow of a MAC Auth?  Does the device need to be allowed on with DHCP only in order to be fingerprinted, THEN have the Service applied?  Confused as to the flow. 

 

 

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: MAC Auth Issues

Yes, the device will need to be let on in a limited role to allow it to be profiled, then you can send a CoA or bounce port to have them ew authenticate after the profile.

You can do this by enabling the profile option in the service, select computer and use the Cisco Terminate Session option.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 99
Registered: ‎08-05-2013

Re: MAC Auth Issues

Thanks for the quick reply, Tim.  Unfortunately it's still not working.  I've been using what you had suggested all along, with the exception of the Endpoint Classification being set as the catch-all "Any Category/OS Family/Name".  Changing that to "Computer" had no effect. 

 

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: MAC Auth Issues

Do you have DHCP helper addresses on your wired network pointing to ClearPass?


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 99
Registered: ‎08-05-2013

Re: MAC Auth Issues

Yup.  First thing I did before getting going with the service configuration.

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: MAC Auth Issues

What does the output tab show on your access tracker. I see the COA tab there. So either it is working or you did a manual COA.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I
Posts: 99
Registered: ‎08-05-2013

Re: MAC Auth Issues

Here's what I get...

 

output.JPG

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: MAC Auth Issues

If you plug a client in to a port with authentication disabled, and it successfully has network address, does it show up in ClearPass as profiled?


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: MAC Auth Issues

You need to change the default role to from deny access to a VLAN that only allows DNS and DHCP. That way the device will get profiled and then a COA is issued. Just like Tim suggested earlier.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I
Posts: 99
Registered: ‎08-05-2013

Re: MAC Auth Issues

Yes Tim, when I plug the laptop into a non-dot1x/MAB port it gets profiled perfectly fine.  What could be in the dot1x/MAB switchport config that could be the hangup?

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: