Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

MAC Authentication AOS-S

Jump to Best Answer
This thread has been viewed 6 times
  • 1.  MAC Authentication AOS-S

    Posted Jul 28, 2020 02:23 PM

    Hi guys,

    I think I starred to long at this to get the behaviour of an MAC Auth Port right. Is it normal that a port on a AOS-S (former Provision) 2530 switch configured with MAC Authentication authenticates every MAC he learns? Isn't there a config option for MAC auth like port-based / user-based mode on a "authenticator" port?

    Scenario:
    I have a Meraki cloud managed AP which does not support 802.1X wired authentication. I choose to configure the switchport to authenticate the device (AP) via its MAC and set dynamically he needed vlans to it (works fine). As there are bridged SSIDs on the AP the wireless clients are bridged locally into a vlan on the same switchport. The switch wants to authenticate every newly learned / seen MAC addresson the wired side.

    Again the question. Is this behaviour normal or did I miss some configuration?
    Does anyone have a hint to achieve a partly acceptable authentication for Meraki APs?


    #2530


  • 2.  RE: MAC Authentication AOS-S
    Best Answer

    Posted Jul 30, 2020 04:08 AM

    If you want to do MAC authentication on an AP that carries tagged VLANs, you will need to return the following attributes to switch to port-mode (don't authenticate the clients that reach the switch in the VLANs from the AP:

    Screen Shot 2020-07-30 at 09.58.47.png

    This example uses VLAN names, and the number in front of the VLAN name means 2 for untagged or 1 for tagged. So the VLAN 'Management VLAN' is applied untagged, where 'Corporate VLAN', 'Voice VLAN', etc are applied tagged.

     

    You will need to run on your switch 16.02.0012 or newer for these attributes to be recognized.

     

    In case you authenticate your AP with 802.1X instead of MAC Authentication, the attributes are slightly different:

    Screen Shot 2020-07-30 at 10.01.41.pngNote that both line 6 and 7 are different for MAC Auth vs 802.1X, but in the end, they do similar things: Authenticate the AP (or other devices), Return native and tagged VLANs, and change to port mode to prevent clients behind the AP from being authenticated on the switch.

     

    I can't find the version where the HPE-Port-Dot1x-Port-Mode attribute was introduced, but if you run 16.06 or newer it should be present. If the attributes are not accepted, check the documentation for the version of firmware that you run to see if it is supported, or just upgrade to the latest version.



  • 3.  RE: MAC Authentication AOS-S

    Posted Jul 31, 2020 02:36 PM

    Hey Herman,

     

    that's done the trick! Thanks alot for the quick help! 
    As I read it I thought I have read it before in some guide?!

     

    Thanks again and have a nice and sunny weekend!