Wireless Access

Reply
Frequent Contributor I
Posts: 70
Registered: ‎08-16-2011

Another MAC Auth Question...

Actually MAC Auth Re-Auth Question...


I have an SSID that's uses MAC Auth & WEP.

The initial role clients are placed in is "macfail"
The default role clients are placed in is "authenticated"
RADIUS is performed by CPPM
The MAC DB is an externally hosted MySQL DB.

 

The aaa auth mac profile is as follows:

 

 

MAC Authentication Profile "regdmacs"
-------------------------------------
Parameter                                      Value
---------                                      -----
Delimiter                                      none
Case                                           lower
Max Authentication failures                    0
Reauthentication                               Disabled
Reauthentication Interval                      86400 sec
Use Server provided Reauthentication Interval  Disabled

Authentication is working as expected.


My question(s) are as follows...

 

If a (let's say stationary) client connects & unsuccessfully authenticates, Clearpass sends a RADIUS Reject and assignes the macfail role, will the client ever perform a re-authentication request?

 

Can I enable Reauthentication & specify a shorter Reauthenication Interval to force a Reauthentication attempt in order to update the client's role, or will the controller only force re-auth of the WEP exchange & cache the client's current role?

 

I am able to de-auth the client, which forces it to re-auth & update its role.

 

I can probably use an RFC 3576 config to bounce the client once they happen to appear in the MAC Registration DB; however, I'd like to find out what the anticipated behavior should be in my current config.

 

I'm not having any luck finding multiple authentication requests from my test client - which makes me suspect that MAC re-auth isn't a thing.

 

I'm not certain if MAC Auth adhere's to any re-auth behaviors if the client never roams to another AP.


TIA,

 

--Raf

--Raf
Search Airheads
Showing results for 
Search instead for 
Did you mean: