Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Wired MAC Authentication issues

This thread has been viewed 6 times

  • 1.  Wired MAC Authentication issues

    Posted Sep 20, 2016 07:40 PM
      |   view attached

    Hi all,

     

    I currently have an issue with authenticating wired devices through MAC authentication using H3C 5120 switches.

     

    I'm using the allow all mac-auth source and just want to authenticate printers from their profiled OS family and assigned them to an enforcement profile.

     

    I receive the following message in the access tracker  : 

    Failed to construct filter=SELECT hostname,(case when static_ip is false then 'false' else 'true' end) as static_ip, device_category, device_family, device_name, other_category, other_family, other_name, (case when conflict is false then 'false' else 'true' end) as conflict FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}').
    Failed to get value for attributes=[Device Name, OS Family]

    I also attached picture from logs. 

    Any ideas ? 

    Thanks !

     

     



  • 2.  RE: Wired MAC Authentication issues

    EMPLOYEE
    Posted Sep 21, 2016 03:36 AM

    From the logs, it looks like ClearPass does not like the format in which the MAC address is sent: xxxx-xxxx-xxxx; please try to change the format that is sent in your 5120.

     

    I'm not a Comware expert, but it seems that you can configure the way the MAC address is sent to the RADIUS server. This is for Comware 5:

     

    [sw01]mac-authentication user-name-format mac-address ?
  with-hyphen     MAC address with '-', just like XX-XX-XX-XX-XX-XX
  without-hyphen  MAC address without '-', just like XXXXXXXXXXXX
  <cr>

    Can you try changing the MAC format that is sent to ClearPass?

     

    Also, if you are on an older version of ClearPass (older than 6 months), upgrading to the latest version might help.



  • 3.  RE: Wired MAC Authentication issues

    Posted Sep 21, 2016 07:49 AM
    Hi, thanks for your answer.

    This is exactly what I am thinking, I tried both and what changes is the Username I receive. The calling station id for some reason remains in the aaaa-bbbb-cccc format.

    If I compare with a procurve switch running provision, the calling station id is in the aabbccddeeff format and it works totally fine, i'm not sure if calling station id has something to do with it but it is the on'y difference from incoming information i receive.

    I'm on Clearpass 6.6.1


  • 4.  RE: Wired MAC Authentication issues
    Best Answer

    EMPLOYEE
    Posted Sep 21, 2016 08:17 AM

    If possible, check if a firmware upgrade on the switch improves things, otherwise please open a case with your partner of Aruba TAC to get this further investigated.

     



  • 5.  RE: Wired MAC Authentication issues

    Posted Sep 21, 2016 08:25 AM
    Ok thank you !


  • 6.  RE: Wired MAC Authentication issues

    Posted Oct 05, 2016 10:58 AM

    The switch was running Comware 5 and I upgraded to latest version of 7 and it works fine with same service.

    Didn't really have time to dig further. Still there was a LOT of MAC auth and 802.1x related issues in the release notes but non representing my problem.

    Thanks,