View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Why MAC authentication request from dot1x enabled macine

This thread has been viewed 20 times
  • 1.  Why MAC authentication request from dot1x enabled macine

    Posted Jul 18, 2019 01:24 AM


    We have enabled dot1x settings through Group Policy on Windows machines and working fine both Machine and User authentication. We have added profile "Update endpoint as Known" and adding attribute Domain-machine=yes for machine authenticated devices. Sometimes we are observing MAC authentication request from dot1x enabled machines and in RADIUS request we can see Domain-machine=Yes and Known endpoint. Why this behaviour for dot1x enabled machines. Please suggest any changes required.




  • 2.  RE: Why MAC authentication request from dot1x enabled macine

    Posted Jul 18, 2019 04:15 AM

    That is normal if you enabled both 802.1X and MAC authentication on the same port. Depending on the switch brand, type, and configuration, you will see either:

    - a MAC authentication

    - an 802.1X authentication

    - a MAC authentication and after that an 802.1X authentication

    - an 802.1X authentication and if there is no response from the client a MAC authentication

    - a MAC and an 802.1X authentication at the same time


    The ArubaOS switches will, by default if both MAC and 802.1X (authenticator) are configured on the same port fire both simultaneous and if the 802.1X succeeds that will take precedence and the MAC authentication result is ignored.


    Please note that a client does not take any action in triggering a MAC authentication. If the switch sees a new MAC address, the switch will trigger the authentication. That is why there is no support needed for MAC authentication on the client-side, and the MAC auth method works for any type of devices as a fallback of 802.1X.

  • 3.  RE: Why MAC authentication request from dot1x enabled macine

    Posted Jul 18, 2019 06:13 AM

    Hi Robers, Thank you for your response. We are using Juniper EX switches and as per Juniper, first, it will try for 802.1x and if it fails then will try for MAC RADIUS authentication. Below is the statement from Juniper article.


    "You can configure both 802.1X and MAC RADIUS authentication methods on the interface. In this case, the switch first attempts to authenticate using 802.1X, and if that method fails, it attempts to authenticate the end device using MAC RADIUS authentication."


    My question is, If the endpoint is dot1x capable and already authenticated using 802.1x then later sometime why it is trying to do MAC authentication that I am not able to understand.


    Is it because the machine is in sleep mode or anything else?




  • 4.  RE: Why MAC authentication request from dot1x enabled macine

    Posted Jul 18, 2019 08:37 AM

    There are some possible explanations, where it is likely that the 802.1X supplicant on the client is not responding. That could be for example during boot. If during boot, the system is trying to use the network before the supplicant is active, you can get into that situation. For example, if your PC tries to do a PXE network boot. Systems in sleep may indeed also result in that situation. Most switches will return to 802.1X as soon as the client starts to initiate authentication. If you really want to know you will probably need to correlate the logs from your client and switch/ClearPass/RADIUS; good chances you will find that the system is booting or it has something to do with sleep mode.

  • 5.  RE: Why MAC authentication request from dot1x enabled macine

    Posted Jul 30, 2019 06:21 AM
    Hi Robers, I observed the below behavior on MAC authentication request from dot1x enabled machine. Whenever the connected machine access remotely i.e. RDP then the machine is trying for MAC authentication and when the machine is in idle or sleep condition. Is it normal behavior and do we need any additional configuration to avoid this behavior. Please suggest. Thanks, Yugandhar.

  • 6.  RE: Why MAC authentication request from dot1x enabled macine

    Posted Nov 25, 2022 06:59 AM
    I am having the same issue at one of my client sites:

    - I have end devices plugged into 2930F-48G switch
    - It is running version WC.16.10.0022
    - DOT1X is enabled on the switch port as is MAC authentication.
    - DOT1X happens first and the client get authenticated and on the network.
    - The problem is after some time the client does MAC authentication and loses access to the network.
    - The switch port config is as follows:
    untagged vlan 1
    aaa port-access authenticator
    aaa port-access authenticator tx-period 10
    aaa port-access authenticator supplicant-timeout 10
    aaa port-access authenticator client-limit 2
    aaa port-access mac-based
    aaa port-access mac-based addr-limit 2
    - Why is the client doing MAC auth after a success dot1x?
    - I have disabled the following option on the client NIC and it has made no difference:"Fallback to unauthorised network access"
    - I believe this is a switch or client problem rather than a CPPM problem.

    Please let me know your thoughts on how to resolve this issue?

  • 7.  RE: Why MAC authentication request from dot1x enabled macine

    Posted Nov 28, 2022 01:48 AM


    You can use priority and order commands on switch. For example;

    aaa port-access <interface> auth-order authenticatior mac-based

    aaa port-access <interface> auth-priority authenticatior mac-based

    With these configurations, switch tries 802.1x first ( order ) and then tries mac-auth. If it success from 802.1x, 802.1x takes predence (priority).
    And you have to configure separate services on CPPM side for 802.1x and Mac-Auth.

    Tuna AKYOL // ACMX#1374

  • 8.  RE: Why MAC authentication request from dot1x enabled macine

    Posted Nov 28, 2022 09:32 AM
    If you see a MAC authentication, it's likely that the 802.1X authentication expired and not renewed by the client (or not triggered by the switch, but that is unlikely). It is expected that you see both MAC and 802.1X, but the 802.1X will take precedence, which means you can ignore the 802.1X.

    As I see you have a client limit, could it be that there are more mac address active on the same port?

    Would be good to see the output of 'show port-access clients 1/10 detail' if your client is on port 1/10; as well the top of 'show logging -r' just after the initial authentication, as well just after you see that issue. Aruba Support may be helpful in analyzing the logs and run additional commands based on the output.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.