Security

Reply
Occasional Contributor I

Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

Hi Everybody,
I'm new to ClearPass but have been playing with this now for sometime in the LAB.
I'm wondering if somebody has experienced something similar to this. Whenever the PC with the machine certificate is connected to the switch port in the access tracker I first see a reject based on the MAC authentication and then about 30 seconds later an accept based on the certificate authentication. It looks like the switch always offers up 2 kinds of authentication methods to the Clearpass server (first MAC auth) although the PC connecting is configured for 802.1x authentication using a machine certificate (I didn't see this effect using Juniper switches).
I have tried configuring a single service combining both MAC auth and 802.1x (EAP TLS (no auth)) and 2 single services, the top one using EAP TLS and the second for MAC auth but I still get the same error. Everything is 'working' but with the side effect that the 802.1x PC is always rejected first and then accepted afterwards. Another funny side effect is that if I connect a device to the switch it looks like the Avaya switch sends a re-authentication request for all other devices already connected to the switch.
I can not test a different software version on the switch at the moment as the customer is running this version on all his switches.
Avaya details: Ethernet Routing Switch 4850GTS-PWR+  HW:15  FW:5.6.4.1   SW:v5.6.5.013 BN:13 (c) Avaya Networks
ClearPass details: vers. 6.6.0.81015
Any tips or pointers would be much appreciated, Thanks!

Re: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

Hi,

 

every switches that supports 802.1x usually comes with a guide that explains all the features and configurations. I never worked with Avaya, but every vendors are different. 

 

In your case, it looks like the switch is configured to do concurrent MAC authentication and 802.1x authentication which is fine, since you might want to plug a printer to a port or an enterprise laptop.

Also I would suggest to go with 2 services instead of mixing MAC auth and PEAP or TLS in 1 service.

 

Since the first request sent by the switch (NAD) is a MAC Auth, you need to order the MAC authentication service on top of the 802.1x one.

 

Then, you will plug an enterprise laptop into that port :

- The switch will send a MAC auth request to CP

- CP will deny it

- The switch will then send an 802.1x auth request to CP

- CP should accept it

 

HTH :)

ACMP, ACCP, BCNE
Occasional Contributor I

Re: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

Hi Overclock,

thanks for your reply, yes the switch is configured for both MAC authentication and 802.1x authentication (we have to do both), I had hoped I could avoid the Reject messages on the 802.1x ports but it seems it's 'all or nothing'. I tried reversing the Services but the effect is always the same, it Accepts on the second attempt and Denies on the first. Looks like I'll have to live with it...

Aruba Employee

Re: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

Please check if you have anyoption to configure L2 authentication order/priority on the switchport. i.e 802.1x will be attempted first and when the client does not respond to EAP requests, then switch should try Mac authentication. This way, the clients that does not support eap based authentication methods like printer, can send mac-authentication requests and clients that has eap supplicant support like computers can connect through 802.1x at their first attempt.

 

When an authentication request reaches CPPM, it will try to answer it. So, rearranging/combining the mac-auth and 802.1xservice in CPPM does not help. 

 

 

Occasional Contributor I

Re: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

Thanks VinceF,

I will check if there is any possibility with our Networking engineers, I didn't see anything myself but maybe there is a way of doing that...

New Contributor

Re: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

Hi marrat15,

I was just wondering if you ever found any setting on the Avaya switches to choose the order authentications occur. I've got Avaya switches here and haven't been able to find anything like that myself.

Thanks! 

Re: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

What issue are you experiencing ?

Are you able to authenticate either (802.1X / Mac)
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor

Re: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

Hi Victor,

Same as the OP, the Avaya switches seem to do both mac and 802.1x authentication, though always mac auth first, so many rejects show up in the logs when a computer does a mac auth (rejected) then a .1x auth (successful). 

I was hoping maybe someone had come across a setting on the Avaya switches to have the switch do a .1x auth, and then if that's not successful, try mac auth. But it may be an all or nothing scenario.

Thanks

Re: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

I recently deployed this at a customer site and noticed inconsistent results based on the avaya code used.

 

With this code i didnt experienced any issues:

2017-10-31 15_56_11-Sent Items - vfabian@integrationpartners.com - Outlook.png

This is the working config where if an 802.1X enabled client connects this authentication will happen first:

RADIUS SERVER CONFIGURATION
radius server host CLEARPASS-IP acct-enable retry 5
radius server host key "KEY"
radius server host CLEARPASS-IP used-by eapol acct-enable
radius server host key "KEY" used-by eapol
radius server host CLEARPASS-IP used-by non-eapol acct-enable
radius server host key "KEY" used-by non-eapol

 

COA CONFIGURATION
radius dynamic-server client CLEARPASS-IP
radius dynamic-server client CLEARPASS-IP secret "KEY"
radius dynamic-server client CLEARPASS-IP process-change-of-auth-requests
radius dynamic-server client CLEARPASS-IP process-disconnect-requests

 

GLOBAL EAP CONFIGURATION

eapol multihost allow-non-eap-enable

eapol multihost radius-non-eap-enable

eapol multihost non-eap-phone-enable

eapol multihost eap-packet-mode unicast

eapol multihost multivlan enable

eapol multihost adac-non-eap-enable

 

EAP INTERFACE CONFIGURATION

interface Ethernet ALL

eapol multihost port 1-46 enable eap-mac-max 3 allow-non-eap-enable non-eap-mac-max 3 radius-non-eap-enable auto-non-eap-mhsa-enable non-eap-phone-enable non-eap-use-radius-assigned-vlan eap-packet-mode unicast adac-non-eap-enable

exit

no eapol multihost non-eap-pwd-fmt ip-addr

no eapol multihost non-eap-pwd-fmt port-number

 

interface Ethernet ALL

eapol port 1-46 status auto re-authentication enable re-authentication-period 1000 supplicant-timeout 3 server-timeout 10

 

interface Ethernet ALL

eapol port 1-46 radius-dynamic-server enable

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor

Re: Wired NAC using ClearPass and Avaya switch, MAC and Certifate authentication

Hi Victor, 

 

That's great, thanks very much! I'll check that against what I have running and I'll let you know tomorrow.

 

Thanks!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: