Security

Reply
Frequent Contributor II

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Hi Colin,

 

Could you please clarify why a client that failed MAC authentication can still be connected, and the only way for us to deny their access is to assign a "deny any" role? As far as I understand, the controller will get an Access-Reject message from Radius server and it should prevent the client from connecting.

 

Regards,

Guru Elite

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

A failed mac authentication leaves the device in the initial role in the AAA profile.  This allows you to do other things if the device fails mac authentication, like provide a captive portal for unauthorized users to login.

 

 

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Frequent Contributor II

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Hi Colin,

 

So, do you mean this is purely an implementation decision from Aruba to let clients in the initial role so that we can do other things later on? I used to do MAC auth on Cisco wireless and they seemed to disconnect clients right away after they failed authentication.

Guru Elite

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Your initial role can block traffic, so that users that do not pass mac authentication go nowhere if you want strict mac authentication.  You have the option to do either.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Frequent Contributor II

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Sure, we can completely block the client traffic in the initial role. But the side effect of letting them connected is that the controller will have to handle these meaningless connections, which may affect its performance.

Guru Elite

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Please feel free to post your idea here:  innovate.arubanetworks.com/ideas

 

A user requires a mac address and an ip address to enter to user table.  If it does not obtain both, it does not enter the user table or consume resources.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Frequent Contributor II

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Ah, I see. Thanks for the info.

 

Occasional Contributor I

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

You should be able to make the controller drop the "connection" if you make Clearpass send a Radius profile with action Drop. Like the default

[Drop Access Profile].

 

I did this with a Radius Proxy service, but I think you should be able to do this with another service aswell. You need to make some sort of rule that catch the reject, like Authentication:ErrorCode

Frequent Contributor II

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Thanks for the info, Christoffer. I've never used [Drop Access Profile] before because I thought this action would result to ClearPass silently drop the requests from controller. I'll give it a try.

Guru Elite

Re: Mac authentication on clearpass (Login Status is REJECT but client still have network connectivi

Do NOT use drop. This could unintentionally cause the controller to mark the server out of service.

If you want a deny state, make sure the initial role is set to a denyall role.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: