Security

Reply
Highlighted
Contributor II

Mac authentication on clearpass (Login Status is REJECT but client still have network connectivity)

Hi all,

I'm trying deploy an  SSID with PSK (on Aruba 7210 controller) and Mac authentication on Clearpass (VA 5k) but it's not work. My client can authentication with PSK, bypass Mac authentication on Clearpass even though that client has been REJECTED.

 

Any one can help me to authentication  using PSK on controller with Mac authen on Clearpass ?

 

Many Thanks for help.

 

Guru Elite

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

In your AAA profile, you need to disable L2 authentication fail through:

http://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/aaa_profile.htm?Highlight=l2-auth-fail-through

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Contributor II

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Hi Colin,

Thank for your response,

I've checked on my AAA profile, unfortunately L2 authentication fail throuhg not enable.

 

 

 

 

Guru Elite

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

You might be showing us the wrong AAA profile.  According to your screenshot, the mac authentication server group is "Internal" which means it is not pointing at CPPM.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Contributor II

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Hi Colin,

I'm sorry, i've showed wrong screenshot.This is a screenshot when i've tested AAA profile with internal DB on controller, but i'm sure that L2 authentication failthough was not enable in my profile. You can see on attachment below.

Guru Elite

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Okay. 

 

The Initial Role in the AAA profile is "logon", which means that the client will stay in the "logon" role if it does not pass mac authentication.  If you want the client's role to be restricted even more, you would change that role to something else.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Contributor II

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Hi Colin,

As your comment above: "The Initial Role in the AAA profile is "logon", which means that the client will stay in the "logon" role if it does not pass mac authentication.  If you want the client's role to be restricted even more, you would change that role to something else." I have some confuse and hope you help.

1.Do you mean is  client will receive "logon role " if it does not mac authentication ( default policies include allow http, https, dns,dhcp...), so it still have network connectivity ?

2.So if it pass authentication, what is the role it will stay on?

3. If i want to deny all client, who does not pass authentication ( include mac , 802.1x ...) i need an " Initial Role " with a deny any any rule?

 

 

Contributor II

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Hi Colin,

Thank for your help, i've resolve my issue . I've used 1 profile with blank rule in initial role. Is there any other way to reject client who does not pass authenticate? With my solution, client just does not receive dhcp or dns. Actually,they was not rejected.

Hope you help me more clearly this issue and 3 questions above.

 

Many thanks.

 

Guru Elite

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Ultimately, if you use 802.1x, the client does not get connected if they fail authentication.  That is the Gold standard.  Mac authentication does not scale and should only be used as an interim authentication solution.

 

The answer to #3 is yes.  The only other way to reject is to return a radius user role that offers no connectivity.  Again, the best way to do this is to employ 802.1x and NOT mac authentication.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Contributor II

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Hi Colin,

Many thanks for your helpful comments.So, i was not only resolve my issue but also have more clearly about types of authentication.

Again, i'm very appreciate for your support.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: