Security

Are you using an Aruba controller ?

Hello,

no, i'm using a CISCO WLC.

 

regards

Andrea

Do you have Mac filtering enabled under your Layer 2 tab and then enable On MAC filter failure under the layer 3 tab ?

 

 

Hello,

yes i have done this configuration.

 

Andrea.

What format is your controller sending the MAC address for the username?

i can choose it...

what is the correct format?

 

 

As cappalli suggested you can take a look at the format is sending the mac address in the request under Security > Mac filtering

 

 

Another thing you should consider doing is setting the reject delay to 0 , i noticed some issues if this wasn't use this value:

Thanks,

i'll check this and update you.

Hello,

i'm tried to modify the value.. but have the same issue...

 

some idea?

 

thanks in advance

Best regards

Andrea

Did you created the Mac caching services using the templates ?

Yes.

i would double check the Cisco WLC config, are you sure the MAC auth section is enabled. if you are sure try to confirm this with a packet capture. if it is just not send then this is a Cisco WLC issue and you could probably better check with their forum / support.

What version of CP are you on? Earlier versions of CP ignores requests and didn't show them in Access Tracker, but in 6.4 you will find them there as long as something is received from the Controller.

Format of the MAC-address sent from the controller doest matter, unless you are specifically testing for something like "client-mac-address-dash".. I believe Clearpass normalizes before using it in the sql check towards endpoint db.

A thing to check..
There is a dropdown on the Cisco WLC (I think under Security/Mac-"something") that defaults to client ip-address. Change that to "Client mac-address".

If you post some screenshots of your configuration on both the WLC and CP we should be able to narrow it down more.

I'm working with the exact same setup these days so if you're unable to get it working I can post some more details with screenshots if needed.

Hello,

i'm using a clearpass 6.3.5.

On the WLC i think that is all correct, i have followed a tech-guide released by aruba.

 

Unfortunately today i'dont have access to clearpass, but  If you can give me some screenshot of your configuration i can do a check with mine configuration, because i remember how it is configured.

 

Best regards

Andrea Acampa

 

Security -> AAA / MAC Filtering. Radius Compatibility Mode.

  -> Set this to Cisco ACS

 

Security -> AAA / Radius -> Authentication -> Call Station ID Type

  -> Set this to "System MAC Address"

 

 

Hi John,

about:

 

Security -> AAA / Radius -> Authentication -> Call Station ID Type

  -> Set this to "System MAC Address"

 

there is "Call Station ID Type 1" and "Call Station ID Type"

 

i also see on the option: "MAC Delimiter" they use "Colon"

 

am i ok?

regards.

Andrea,

What do you have set as your authentication sources?
You need to allow all Mac address if this is for an open said.