Security

Reply
Occasional Contributor II
Posts: 61
Registered: ‎06-27-2016

unauthorized users have network access due to switch fail-open

I configured the switch to fail-open if the communication with CPPM lost, but I got the unauthorized users have access to network due to this setting.

 

If someone have 802.1x enabled on his adapter and connected his PC to network, then the conencted switch port will start looking for the authentication server, but since the authentication will fail for this user, then and due to the "fail-open" action in switch port, the port will be assigned to the data VLAN and he will have network access.

 

So is this logic, or it must be setup in different way?

Mahmoud
Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: unauthorized users have network access due to switch fail-open

What type of switch?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 61
Registered: ‎06-27-2016

Re: unauthorized users have network access due to switch fail-open

We have Juniper switches as below port settings

 

set protocols dot1x authenticator interface ge-0/0/31.0 supplicant multiple
set protocols dot1x authenticator interface ge-0/0/31.0 transmit-period 5
set protocols dot1x authenticator interface ge-0/0/31.0 mac-radius
set protocols dot1x authenticator interface ge-0/0/31.0 reauthentication 86000
set protocols dot1x authenticator interface ge-0/0/31.0 server-timeout 3
set protocols dot1x authenticator interface ge-0/0/31.0 maximum-requests 3
set protocols dot1x authenticator interface ge-0/0/31.0 server-reject-vlan Quarantine-VLAN
set protocols dot1x authenticator interface ge-0/0/31.0 server-fail permit

Mahmoud
Occasional Contributor II
Posts: 61
Registered: ‎06-27-2016

Re: unauthorized users have network access due to switch fail-open

when a guest "unauthorized" who has .1x enabled in adapter connect to switch port, I can see in CPPM logs sending deny access message to switch, but the switch port dot1x logs show that port inherited the switch port "fail-open" action  

Mahmoud
Occasional Contributor II
Posts: 61
Registered: ‎06-27-2016

Re: unauthorized users have network access due to switch fail-open

Is this controlled through ClearPass or its totally related to switch?

 

If its related to clearpass, then is the interchange between reject and drop actions for the unauthorized users going to make difference?

Mahmoud
Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: unauthorized users have network access due to switch fail-open

It's a switch configuration

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 19
Registered: ‎04-09-2017

Re: unauthorized users have network access due to switch fail-open

Hi,

 

Configure 802.1x with MAB auth and set deny role as default for mac auth poicy. With above configuration switch will attempt to authenticate client with 802.1x and if client dont have 802.1x setting then it look for mac auth so CPPM will assign deny role as per policy. If cppm connection lost with NAD then switch will assign failed open vlan to client.

 

Regards,

Milind Yashwantrao

Search Airheads
Showing results for 
Search instead for 
Did you mean: