Security

Reply
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

MAC auth Avaya switches - modify password

So here's the scenario...Avaya/Nortel switches send the MACAUTH (what they call Non-EAP or NEAP) in the format of .macaddr. - note the leading and trailing "." So for example, the username is sent "0002a5e90028" and the password ".0002a5e90028." This obviously creates issues when trying to auth clients via Clearpass. 

 

If you manually create a local user in the repository OR guest device repository with the correct "period" format password, the user can auth. 

 

My question is this - is it possible in a mac_create form to capture the mac address and then manipulate it for the field password (this would be hidden to the user) so that it contains the periods?

Regards,

Josh
___________
ACMP, ACCP
Contributor II
Posts: 56
Registered: ‎04-22-2009

Re: MAC auth Avaya switches - modify password

The following command is used to define what the MAC user’s password string will consist of:
• 5530g(config)#eapol multihost non-eap-pwd-fmt 


ip-addr
mac-addr
port-number


The non-EAPOL password attribute on the RADIUS server can be a combination of the MAC
address, Switch IP, Unit and Port number. You can select one of the single items shown above or
a combination. For example, if you wish to configure non-EAP authentication with MAC address
and unit/port-number, enter the following command:


• 5530g(config)#eapol multihost non-eap-pwd-fmt mac-addr port-number

The default setting for the non-EAP password string is IpAddr.MACAddr.PortNumber. If
you do not wish to use this format, remove the default setting using the command ‘no
eapol multihost non-eap-pwd-fmt’. Thereafter, enter the non-EAP password format of
your liking.

Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: MAC auth Avaya switches - modify password

This is working now. I modified the auth source for Guest Devices Repository with the following filter.

 

SELECT trim( both '.' from user_credential(password)) AS User_Password,        CASE WHEN enabled = FALSE THEN 225             WHEN ((expire_time is not null AND expire_time <= now())) THEN 226             ELSE 0        END AS Account_Status, sponsor_name FROM tips_guest_users WHERE ((guest_type = 'DEVICE') AND (user_id = UPPER('%{Connection:Client-Mac-Address-Hyphen}')))

Regards,

Josh
___________
ACMP, ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: