Security

Reply
MVP
Posts: 123
Registered: ‎07-13-2015

Wired MAC Authentication issues

Hi all,

 

I currently have an issue with authenticating wired devices through MAC authentication using H3C 5120 switches.

 

I'm using the allow all mac-auth source and just want to authenticate printers from their profiled OS family and assigned them to an enforcement profile.

 

I receive the following message in the access tracker  : 

Failed to construct filter=SELECT hostname,(case when static_ip is false then 'false' else 'true' end) as static_ip, device_category, device_family, device_name, other_category, other_family, other_name, (case when conflict is false then 'false' else 'true' end) as conflict FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}').
Failed to get value for attributes=[Device Name, OS Family]

I also attached picture from logs. 

Any ideas ? 

Thanks !

 

 

ACMP, ACCP, BCNE
MVP
Posts: 465
Registered: ‎11-04-2011

Re: Wired MAC Authentication issues

From the logs, it looks like ClearPass does not like the format in which the MAC address is sent: xxxx-xxxx-xxxx; please try to change the format that is sent in your 5120.

 

I'm not a Comware expert, but it seems that you can configure the way the MAC address is sent to the RADIUS server. This is for Comware 5:

 

[sw01]mac-authentication user-name-format mac-address ?
  with-hyphen     MAC address with '-', just like XX-XX-XX-XX-XX-XX
  without-hyphen  MAC address without '-', just like XXXXXXXXXXXX
  <cr>

Can you try changing the MAC format that is sent to ClearPass?

 

Also, if you are on an older version of ClearPass (older than 6 months), upgrading to the latest version might help.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
MVP
Posts: 123
Registered: ‎07-13-2015

Re: Wired MAC Authentication issues

Hi, thanks for your answer.

This is exactly what I am thinking, I tried both and what changes is the Username I receive. The calling station id for some reason remains in the aaaa-bbbb-cccc format.

If I compare with a procurve switch running provision, the calling station id is in the aabbccddeeff format and it works totally fine, i'm not sure if calling station id has something to do with it but it is the on'y difference from incoming information i receive.

I'm on Clearpass 6.6.1
ACMP, ACCP, BCNE
MVP
Posts: 465
Registered: ‎11-04-2011

Re: Wired MAC Authentication issues

If possible, check if a firmware upgrade on the switch improves things, otherwise please open a case with your partner of Aruba TAC to get this further investigated.

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
MVP
Posts: 123
Registered: ‎07-13-2015

Re: Wired MAC Authentication issues

Ok thank you !
ACMP, ACCP, BCNE
MVP
Posts: 123
Registered: ‎07-13-2015

Re: Wired MAC Authentication issues

The switch was running Comware 5 and I upgraded to latest version of 7 and it works fine with same service.

Didn't really have time to dig further. Still there was a LOT of MAC auth and 802.1x related issues in the release notes but non representing my problem.

Thanks,

ACMP, ACCP, BCNE
Search Airheads
Showing results for 
Search instead for 
Did you mean: