Security

 View Only
last person joined: 17 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass MAC and 8021x auth on same port??

This thread has been viewed 12 times
  • 1.  Clearpass MAC and 8021x auth on same port??

    Posted Dec 17, 2021 07:41 AM
    Hi,

    I've setupped MAC authentication and radius authentication on same port for 2530-switch.
    Computers has machine authentication that works ok, but when laptop is connected to port > it first tries with MAC auth that fails and after that gets connected with radius. How to get rid of this behaviour, because this generates reject logs and mails?

    - access tracker logs, first reject for MAC and the Accept to machine certificate

    - Wired service is above MAC, so I suppose it should be processed first?

    snap from switch conf:
    aaa authentication port-access eap-radius
    aaa port-access authenticator 1-36
    aaa port-access authenticator 1 auth-vid 1
    aaa port-access authenticator 1 client-limit 10
    aaa port-access mac-based 1-36
    aaa port-access mac-based 1 addr-limit 10
    aaa port-access mac-based 1 mac-pin
    aaa port-access mac-based 1 auth-vid 1

    br, Ollie


  • 2.  RE: Clearpass MAC and 8021x auth on same port??

    EMPLOYEE
    Posted Dec 17, 2021 11:25 AM
    This is expected behavior. Not sure if you can get rid of it, except that as a 'best practice' you should always return an ACCEPT on MAC Authentication, and put those devices in a separate, isolated VLAN, but where you can do profiling.

    Rejecting clients for MAC authentication has a few drawbacks, like that you cannot do anything with a rejected client (like no CoA, no monitoring) and some switches will also retry on a failed authentication resulting in many more rejects.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Clearpass MAC and 8021x auth on same port??

    MVP
    Posted Dec 18, 2021 05:03 AM
    Did you try configuring methods in a way that dot1x goes first then mac-auth?

    Usually in Cisco Switches we order authentication dot1x first, then in case of failure it moves to MAC auth. There are specific timers and retries which you can play along with and tweak them based on the infrastructure.

    Maybe this thread is useful


    https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=24265

    ---------------------------------
    Shpat
    ---------------------------------