- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
02-05-2018 01:53 AM - edited 02-07-2018 03:20 AM
Hi all,
I'm trying deploy an SSID with PSK (on Aruba 7210 controller) and Mac authentication on Clearpass (VA 5k) but it's not work. My client can authentication with PSK, bypass Mac authentication on Clearpass even though that client has been REJECTED.
Any one can help me to authentication using PSK on controller with Mac authen on Clearpass ?
Many Thanks for help.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
02-05-2018 04:15 AM - edited 02-05-2018 04:15 AM
In your AAA profile, you need to disable L2 authentication fail through:
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
02-05-2018 06:12 PM - edited 02-07-2018 03:21 AM
Hi Colin,
Thank for your response,
I've checked on my AAA profile, unfortunately L2 authentication fail throuhg not enable.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
02-06-2018 02:23 AM
You might be showing us the wrong AAA profile. According to your screenshot, the mac authentication server group is "Internal" which means it is not pointing at CPPM.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
02-06-2018 06:39 AM - edited 02-07-2018 03:19 AM
Hi Colin,
I'm sorry, i've showed wrong screenshot.This is a screenshot when i've tested AAA profile with internal DB on controller, but i'm sure that L2 authentication failthough was not enable in my profile. You can see on attachment below.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
02-06-2018 06:42 AM
Okay.
The Initial Role in the AAA profile is "logon", which means that the client will stay in the "logon" role if it does not pass mac authentication. If you want the client's role to be restricted even more, you would change that role to something else.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
02-06-2018 07:26 PM
Hi Colin,
As your comment above: "The Initial Role in the AAA profile is "logon", which means that the client will stay in the "logon" role if it does not pass mac authentication. If you want the client's role to be restricted even more, you would change that role to something else." I have some confuse and hope you help.
1.Do you mean is client will receive "logon role " if it does not mac authentication ( default policies include allow http, https, dns,dhcp...), so it still have network connectivity ?
2.So if it pass authentication, what is the role it will stay on?
3. If i want to deny all client, who does not pass authentication ( include mac , 802.1x ...) i need an " Initial Role " with a deny any any rule?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
02-07-2018 03:19 AM
Hi Colin,
Thank for your help, i've resolve my issue . I've used 1 profile with blank rule in initial role. Is there any other way to reject client who does not pass authenticate? With my solution, client just does not receive dhcp or dns. Actually,they was not rejected.
Hope you help me more clearly this issue and 3 questions above.
Many thanks.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
02-07-2018 03:27 AM
Ultimately, if you use 802.1x, the client does not get connected if they fail authentication. That is the Gold standard. Mac authentication does not scale and should only be used as an interim authentication solution.
The answer to #3 is yes. The only other way to reject is to return a radius user role that offers no connectivity. Again, the best way to do this is to employ 802.1x and NOT mac authentication.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi
02-07-2018 06:10 PM
Hi Colin,
Many thanks for your helpful comments.So, i was not only resolve my issue but also have more clearly about types of authentication.
Again, i'm very appreciate for your support.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator