Security

Reply
Occasional Contributor II
Posts: 24
Registered: ‎06-14-2012

mac-auth-only role with 802.1X wireless

I've read a lot of posts and seen this question asked a number of different ways but there is somethign I came across in one fo the tech docs that makes me wonder if it is somehow possible.  Is there a way to use the mac-auth-only role on an 802.1X SSID when authenticating against ClearPass.  The idea being that if a client passes MAC auth but fails 802.1X they can be placed in a role where they can get some network access.  If this is not possible is there a way to use the MAC address presented as the credentials for a RADIUS transaction to fulfill the 802.1X process?  The tech doc I was reading mentions "MAC authentication only role - Allows you to create a mac-auth-only role to allow role-based access rules when MAC authentication is enabled for 802.1X authentication. The mac-auth-only role is assigned to a client when the MAC authentication is successful and 802.1X authentication fails. If 802.1X authentication is successful, the mac-auth-only role is overwritten by the final role. The mac-auth-only role is primarily used for wired clients."

http://www.arubanetworks.com/techdocs/InstantMobile/Advanced/Content/Chapter11%20Authentication/AuthenticationMethods.htm

 

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: mac-auth-only role with 802.1X wireless


Prestidigitation wrote:

The mac-auth-only role is primarily used for wired clients."



i believe that line is the important one. with wired you sometimes have the posibility to do auth on mac if dot1x doesnt work for some reason.

 

with wireless this is not possible, you need succesful dot1x to get access. there is no middle ground here.

Occasional Contributor II
Posts: 24
Registered: ‎06-14-2012

Re: mac-auth-only role with 802.1X wireless

Thanks boneyard, that's what I figured but that statement is kind of ambiguous.  If it is used "primarily" with wired clients then what is it used secondarily with?  Any thoughts about trying to use the MAC address as the username/password for the 802.1X auth portion?  Probably grasping at straws here but it would be immensefly helpful to one of my clients if it were possible to get this working.

Guru Elite
Posts: 8,649
Registered: ‎09-08-2010

Re: mac-auth-only role with 802.1X wireless

With wireless you can do MAC authentication or 802.1X with MAC authorization. You cannot do fail-through like on a wired network. This is due to the way encryption is handled on wireless.

Sounds like you want just basic MAC authentication.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 24
Registered: ‎06-14-2012

Re: mac-auth-only role with 802.1X wireless

The issue that we're encountering is that after migrating from an 802.1X network that was using controllers communicating with AirWave to the same SSID on IAPs communicating with ClearPass clients won't complete 802.1X becuase the server certificate has changed and it is bound to the old profile.  This is specific to about 1500 iPads that have that wireless profile provisioned through an MDM that makes it where you can't forget that network and start with a clean profile.  Touching 1500 iPads is quite a chore anyway.  

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: mac-auth-only role with 802.1X wireless

Is it possible for you to export the old server certificate (with private key) from the old RADIUS solution and import it into Clearpass to continue using it as the RADIUS certificate?    It would allow the iPads to come online.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 24
Registered: ‎06-14-2012

Re: mac-auth-only role with 802.1X wireless

@clembo That is a great suggestion and one of the first ideas that came to mind.  The problem is that there are around 1300 devices connected to the SSID with the new server cert and this would cause disruption for those users.

Search Airheads
Showing results for 
Search instead for 
Did you mean: