03-22-2017 02:48 AM
I'm new to ClearPass but have been playing with this now for sometime in the LAB.
I'm wondering if somebody has experienced something similar to this. Whenever the PC with the machine certificate is connected to the switch port in the access tracker I first see a reject based on the MAC authentication and then about 30 seconds later an accept based on the certificate authentication. It looks like the switch always offers up 2 kinds of authentication methods to the Clearpass server (first MAC auth) although the PC connecting is configured for 802.1x authentication using a machine certificate (I didn't see this effect using Juniper switches).
I have tried configuring a single service combining both MAC auth and 802.1x (EAP TLS (no auth)) and 2 single services, the top one using EAP TLS and the second for MAC auth but I still get the same error. Everything is 'working' but with the side effect that the 802.1x PC is always rejected first and then accepted afterwards. Another funny side effect is that if I connect a device to the switch it looks like the Avaya switch sends a re-authentication request for all other devices already connected to the switch.
I can not test a different software version on the switch at the moment as the customer is running this version on all his switches.
Avaya details: Ethernet Routing Switch 4850GTS-PWR+ HW:15 FW:188.8.131.52 SW:v5.6.5.013 BN:13 (c) Avaya Networks
ClearPass details: vers. 184.108.40.206015
Any tips or pointers would be much appreciated, Thanks!
03-22-2017 11:03 AM
every switches that supports 802.1x usually comes with a guide that explains all the features and configurations. I never worked with Avaya, but every vendors are different.
In your case, it looks like the switch is configured to do concurrent MAC authentication and 802.1x authentication which is fine, since you might want to plug a printer to a port or an enterprise laptop.
Also I would suggest to go with 2 services instead of mixing MAC auth and PEAP or TLS in 1 service.
Since the first request sent by the switch (NAD) is a MAC Auth, you need to order the MAC authentication service on top of the 802.1x one.
Then, you will plug an enterprise laptop into that port :
- The switch will send a MAC auth request to CP
- CP will deny it
- The switch will then send an 802.1x auth request to CP
- CP should accept it
03-22-2017 11:55 PM
thanks for your reply, yes the switch is configured for both MAC authentication and 802.1x authentication (we have to do both), I had hoped I could avoid the Reject messages on the 802.1x ports but it seems it's 'all or nothing'. I tried reversing the Services but the effect is always the same, it Accepts on the second attempt and Denies on the first. Looks like I'll have to live with it...
03-24-2017 12:13 PM
Please check if you have anyoption to configure L2 authentication order/priority on the switchport. i.e 802.1x will be attempted first and when the client does not respond to EAP requests, then switch should try Mac authentication. This way, the clients that does not support eap based authentication methods like printer, can send mac-authentication requests and clients that has eap supplicant support like computers can connect through 802.1x at their first attempt.
When an authentication request reaches CPPM, it will try to answer it. So, rearranging/combining the mac-auth and 802.1xservice in CPPM does not help.
03-27-2017 07:19 AM
I will check if there is any possibility with our Networking engineers, I didn't see anything myself but maybe there is a way of doing that...