Security

Hi all,

I'm trying deploy an  SSID with PSK (on Aruba 7210 controller) and Mac authentication on Clearpass (VA 5k) but it's not work. My client can authentication with PSK, bypass Mac authentication on Clearpass even though that client has been REJECTED.

 

Any one can help me to authentication  using PSK on controller with Mac authen on Clearpass ?

 

Many Thanks for help.

 

In your AAA profile, you need to disable L2 authentication fail through:

http://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/aaa_profile.htm?Highlight=l2-auth-fail-through

Hi Colin,

Thank for your response,

I've checked on my AAA profile, unfortunately L2 authentication fail throuhg not enable.

 

 

 

 

You might be showing us the wrong AAA profile.  According to your screenshot, the mac authentication server group is "Internal" which means it is not pointing at CPPM.

Hi Colin,

I'm sorry, i've showed wrong screenshot.This is a screenshot when i've tested AAA profile with internal DB on controller, but i'm sure that L2 authentication failthough was not enable in my profile. You can see on attachment below.

Okay. 

 

The Initial Role in the AAA profile is "logon", which means that the client will stay in the "logon" role if it does not pass mac authentication.  If you want the client's role to be restricted even more, you would change that role to something else.

Hi Colin,

As your comment above: "The Initial Role in the AAA profile is "logon", which means that the client will stay in the "logon" role if it does not pass mac authentication.  If you want the client's role to be restricted even more, you would change that role to something else." I have some confuse and hope you help.

1.Do you mean is  client will receive "logon role " if it does not mac authentication ( default policies include allow http, https, dns,dhcp...), so it still have network connectivity ?

2.So if it pass authentication, what is the role it will stay on?

3. If i want to deny all client, who does not pass authentication ( include mac , 802.1x ...) i need an " Initial Role " with a deny any any rule?

 

 

Hi Colin,

Thank for your help, i've resolve my issue . I've used 1 profile with blank rule in initial role. Is there any other way to reject client who does not pass authenticate? With my solution, client just does not receive dhcp or dns. Actually,they was not rejected.

Hope you help me more clearly this issue and 3 questions above.

 

Many thanks.

 

Ultimately, if you use 802.1x, the client does not get connected if they fail authentication.  That is the Gold standard.  Mac authentication does not scale and should only be used as an interim authentication solution.

 

The answer to #3 is yes.  The only other way to reject is to return a radius user role that offers no connectivity.  Again, the best way to do this is to employ 802.1x and NOT mac authentication.

Hi Colin,

Many thanks for your helpful comments.So, i was not only resolve my issue but also have more clearly about types of authentication.

Again, i'm very appreciate for your support.

 

Hi Colin,

 

Could you please clarify why a client that failed MAC authentication can still be connected, and the only way for us to deny their access is to assign a "deny any" role? As far as I understand, the controller will get an Access-Reject message from Radius server and it should prevent the client from connecting.

 

Regards,

A failed mac authentication leaves the device in the initial role in the AAA profile.  This allows you to do other things if the device fails mac authentication, like provide a captive portal for unauthorized users to login.

 

 

Hi Colin,

 

So, do you mean this is purely an implementation decision from Aruba to let clients in the initial role so that we can do other things later on? I used to do MAC auth on Cisco wireless and they seemed to disconnect clients right away after they failed authentication.

Your initial role can block traffic, so that users that do not pass mac authentication go nowhere if you want strict mac authentication.  You have the option to do either.

Sure, we can completely block the client traffic in the initial role. But the side effect of letting them connected is that the controller will have to handle these meaningless connections, which may affect its performance.

Please feel free to post your idea here:  innovate.arubanetworks.com/ideas

 

A user requires a mac address and an ip address to enter to user table.  If it does not obtain both, it does not enter the user table or consume resources.

Ah, I see. Thanks for the info.

 

You should be able to make the controller drop the "connection" if you make Clearpass send a Radius profile with action Drop. Like the default

[Drop Access Profile].

 

I did this with a Radius Proxy service, but I think you should be able to do this with another service aswell. You need to make some sort of rule that catch the reject, like Authentication:ErrorCode

Thanks for the info, Christoffer. I've never used [Drop Access Profile] before because I thought this action would result to ClearPass silently drop the requests from controller. I'll give it a try.

Do NOT use drop. This could unintentionally cause the controller to mark the server out of service.

If you want a deny state, make sure the initial role is set to a denyall role.

With server you mean Clearpass?

 

Care to elaborate the "controller to mark the server out of service" part?

And what's the difference between reject and drop in a scenario like this?

Drop will cause a timeout. Many NADs will mark a AAA server out of service if many timeouts are received.

Ok, thank you for the clarification.