We have enabled dot1x settings through Group Policy on Windows machines and working fine both Machine and User authentication. We have added profile "Update endpoint as Known" and adding attribute Domain-machine=yes for machine authenticated devices. Sometimes we are observing MAC authentication request from dot1x enabled machines and in RADIUS request we can see Domain-machine=Yes and Known endpoint. Why this behaviour for dot1x enabled machines. Please suggest any changes required.
That is normal if you enabled both 802.1X and MAC authentication on the same port. Depending on the switch brand, type, and configuration, you will see either:
- a MAC authentication
- an 802.1X authentication
- a MAC authentication and after that an 802.1X authentication
- an 802.1X authentication and if there is no response from the client a MAC authentication
- a MAC and an 802.1X authentication at the same time
The ArubaOS switches will, by default if both MAC and 802.1X (authenticator) are configured on the same port fire both simultaneous and if the 802.1X succeeds that will take precedence and the MAC authentication result is ignored.
Please note that a client does not take any action in triggering a MAC authentication. If the switch sees a new MAC address, the switch will trigger the authentication. That is why there is no support needed for MAC authentication on the client-side, and the MAC auth method works for any type of devices as a fallback of 802.1X.
Hi Robers, Thank you for your response. We are using Juniper EX switches and as per Juniper, first, it will try for 802.1x and if it fails then will try for MAC RADIUS authentication. Below is the statement from Juniper article.
"You can configure both 802.1X and MAC RADIUS authentication methods on the interface. In this case, the switch first attempts to authenticate using 802.1X, and if that method fails, it attempts to authenticate the end device using MAC RADIUS authentication."
My question is, If the endpoint is dot1x capable and already authenticated using 802.1x then later sometime why it is trying to do MAC authentication that I am not able to understand.
Is it because the machine is in sleep mode or anything else?
There are some possible explanations, where it is likely that the 802.1X supplicant on the client is not responding. That could be for example during boot. If during boot, the system is trying to use the network before the supplicant is active, you can get into that situation. For example, if your PC tries to do a PXE network boot. Systems in sleep may indeed also result in that situation. Most switches will return to 802.1X as soon as the client starts to initiate authentication. If you really want to know you will probably need to correlate the logs from your client and switch/ClearPass/RADIUS; good chances you will find that the system is booting or it has something to do with sleep mode.
Hi,You can use priority and order commands on switch. For example;
aaa port-access <interface> auth-order authenticatior mac-based
aaa port-access <interface> auth-priority authenticatior mac-based
With these configurations, switch tries 802.1x first ( order ) and then tries mac-auth. If it success from 802.1x, 802.1x takes predence (priority).And you have to configure separate services on CPPM side for 802.1x and Mac-Auth.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.