Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

This thread has been viewed 14 times

  • 1.  Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

    Posted Mar 22, 2017 05:49 AM

    Hi Everybody,
    I'm new to ClearPass but have been playing with this now for sometime in the LAB.
    I'm wondering if somebody has experienced something similar to this. Whenever the PC with the machine certificate is connected to the switch port in the access tracker I first see a reject based on the MAC authentication and then about 30 seconds later an accept based on the certificate authentication. It looks like the switch always offers up 2 kinds of authentication methods to the Clearpass server (first MAC auth) although the PC connecting is configured for 802.1x authentication using a machine certificate (I didn't see this effect using Juniper switches).
    I have tried configuring a single service combining both MAC auth and 802.1x (EAP TLS (no auth)) and 2 single services, the top one using EAP TLS and the second for MAC auth but I still get the same error. Everything is 'working' but with the side effect that the 802.1x PC is always rejected first and then accepted afterwards. Another funny side effect is that if I connect a device to the switch it looks like the Avaya switch sends a re-authentication request for all other devices already connected to the switch.
    I can not test a different software version on the switch at the moment as the customer is running this version on all his switches.
    Avaya details: Ethernet Routing Switch 4850GTS-PWR+  HW:15  FW:5.6.4.1   SW:v5.6.5.013 BN:13 (c) Avaya Networks
    ClearPass details: vers. 6.6.0.81015
    Any tips or pointers would be much appreciated, Thanks!



  • 2.  RE: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

    Posted Mar 22, 2017 02:03 PM

    Hi,

     

    every switches that supports 802.1x usually comes with a guide that explains all the features and configurations. I never worked with Avaya, but every vendors are different. 

     

    In your case, it looks like the switch is configured to do concurrent MAC authentication and 802.1x authentication which is fine, since you might want to plug a printer to a port or an enterprise laptop.

    Also I would suggest to go with 2 services instead of mixing MAC auth and PEAP or TLS in 1 service.

     

    Since the first request sent by the switch (NAD) is a MAC Auth, you need to order the MAC authentication service on top of the 802.1x one.

     

    Then, you will plug an enterprise laptop into that port :

    - The switch will send a MAC auth request to CP

    - CP will deny it

    - The switch will then send an 802.1x auth request to CP

    - CP should accept it

     

    HTH :)



  • 3.  RE: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

    Posted Mar 23, 2017 02:56 AM

    Hi Overclock,

    thanks for your reply, yes the switch is configured for both MAC authentication and 802.1x authentication (we have to do both), I had hoped I could avoid the Reject messages on the 802.1x ports but it seems it's 'all or nothing'. I tried reversing the Services but the effect is always the same, it Accepts on the second attempt and Denies on the first. Looks like I'll have to live with it...



  • 4.  RE: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

    Posted Mar 24, 2017 03:14 PM

    Please check if you have anyoption to configure L2 authentication order/priority on the switchport. i.e 802.1x will be attempted first and when the client does not respond to EAP requests, then switch should try Mac authentication. This way, the clients that does not support eap based authentication methods like printer, can send mac-authentication requests and clients that has eap supplicant support like computers can connect through 802.1x at their first attempt.

     

    When an authentication request reaches CPPM, it will try to answer it. So, rearranging/combining the mac-auth and 802.1xservice in CPPM does not help. 

     

     



  • 5.  RE: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

    Posted Mar 27, 2017 10:19 AM

    Thanks VinceF,

    I will check if there is any possibility with our Networking engineers, I didn't see anything myself but maybe there is a way of doing that...



  • 6.  RE: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

    Posted Oct 31, 2017 03:20 PM

    Hi marrat15,

    I was just wondering if you ever found any setting on the Avaya switches to choose the order authentications occur. I've got Avaya switches here and haven't been able to find anything like that myself.

    Thanks! 



  • 7.  RE: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

    Posted Oct 31, 2017 03:37 PM
    What issue are you experiencing ?

    Are you able to authenticate either (802.1X / Mac)


  • 8.  RE: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

    Posted Oct 31, 2017 03:42 PM

    Hi Victor,

    Same as the OP, the Avaya switches seem to do both mac and 802.1x authentication, though always mac auth first, so many rejects show up in the logs when a computer does a mac auth (rejected) then a .1x auth (successful). 

    I was hoping maybe someone had come across a setting on the Avaya switches to have the switch do a .1x auth, and then if that's not successful, try mac auth. But it may be an all or nothing scenario.

    Thanks



  • 9.  RE: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

    Posted Oct 31, 2017 04:09 PM

    I recently deployed this at a customer site and noticed inconsistent results based on the avaya code used.

     

    With this code i didnt experienced any issues:

    vfabian@integrationpartners.com - Outlook.png" alt="2017-10-31 15_56_11-Sent Items - vfabian@integrationpartners.com - Outlook.png">

    This is the working config where if an 802.1X enabled client connects this authentication will happen first:

    RADIUS SERVER CONFIGURATION
    radius server host CLEARPASS-IP acct-enable retry 5
    radius server host key "KEY"
    radius server host CLEARPASS-IP used-by eapol acct-enable
    radius server host key "KEY" used-by eapol
    radius server host CLEARPASS-IP used-by non-eapol acct-enable
    radius server host key "KEY" used-by non-eapol

     

    COA CONFIGURATION
    radius dynamic-server client CLEARPASS-IP
    radius dynamic-server client CLEARPASS-IP secret "KEY"
    radius dynamic-server client CLEARPASS-IP process-change-of-auth-requests
    radius dynamic-server client CLEARPASS-IP process-disconnect-requests

     

    GLOBAL EAP CONFIGURATION

    eapol multihost allow-non-eap-enable

    eapol multihost radius-non-eap-enable

    eapol multihost non-eap-phone-enable

    eapol multihost eap-packet-mode unicast

    eapol multihost multivlan enable

    eapol multihost adac-non-eap-enable

     

    EAP INTERFACE CONFIGURATION

    interface Ethernet ALL

    eapol multihost port 1-46 enable eap-mac-max 3 allow-non-eap-enable non-eap-mac-max 3 radius-non-eap-enable auto-non-eap-mhsa-enable non-eap-phone-enable non-eap-use-radius-assigned-vlan eap-packet-mode unicast adac-non-eap-enable

    exit

    no eapol multihost non-eap-pwd-fmt ip-addr

    no eapol multihost non-eap-pwd-fmt port-number

     

    interface Ethernet ALL

    eapol port 1-46 status auto re-authentication enable re-authentication-period 1000 supplicant-timeout 3 server-timeout 10

     

    interface Ethernet ALL

    eapol port 1-46 radius-dynamic-server enable

     



  • 10.  RE: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

    Posted Oct 31, 2017 04:27 PM

    Hi Victor, 

     

    That's great, thanks very much! I'll check that against what I have running and I'll let you know tomorrow.

     

    Thanks!



  • 11.  RE: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

    Posted Nov 01, 2017 02:29 PM

    Hi Victor,

     

    Thanks very much for your help yesterday, there were definitely a few lines missing from my config (mainly the lines involving adac).

     

    Interestingly, now the 802.1x authentication shows up first in the access tracker, but is then followed by a couple mac auth attempts (which are rejected). It looks like that may be something we need to live with, but I really appreciate your help and sharing your config.

     

    Thanks



  • 12.  RE: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

    Posted Oct 30, 2018 06:46 AM

    Hi Amoase and Victor

     

    I am currently working on a Avaya PoC with ClearPass.

     

    In the access tracker i receive an error that no COA type is enabled for this type of device, i have added it as a nortell switch (avaya is missing). 

     

    Do you happen to know if i can add the switch as another device so CoA will work? (the switch is RFC3567 capable, 4850GTS)



  • 13.  RE: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

    Posted May 20, 2021 01:12 AM
    Hi Victor,

    Any idea what can be put to define the NAD in clearpass? i tried to put nortel, but seems like clearpass not receiving request from avaya switch

    ------------------------------
    SHAIFUL ADLI YAAKOB
    ------------------------------

    Original Message