Security

Greetings!

i am currently putting a clearpass in operation on our main site. Last week i faced "major" problem while configuring ports with Access Points. My idea was it to authenticate the APs via MAC Auth - which so far works. The ports get tagged via hpe egress correctly and the access point is online after it got authenticated. But all the clients connected to the ap are also sending authentication requests to the switch / clearpass, which i dont need because the clients already authenticate themselfs via 8021x at the AP.

So what am i missing in my coniguration? I also will be taking ports with hub switches into mac auth and only want the switch to be authenticated. 

Best regards

------------------------------
Florian Schmalz
------------------------------

Check this post for the answer. You need to (dynamically) switch to port mode after authentication, check the link to see how to do that.

Assuming you have ArubaOS Switches (you mentioned hpe egress).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 26, 2021 03:33 AM
From: Florian Schmalz
Subject: Correct Configuration for APs, Hubs, etc. with MAC Auth

Greetings!

i am currently putting a clearpass in operation on our main site. Last week i faced "major" problem while configuring ports with Access Points. My idea was it to authenticate the APs via MAC Auth - which so far works. The ports get tagged via hpe egress correctly and the access point is online after it got authenticated. But all the clients connected to the ap are also sending authentication requests to the switch / clearpass, which i dont need because the clients already authenticate themselfs via 8021x at the AP.

So what am i missing in my coniguration? I also will be taking ports with hub switches into mac auth and only want the switch to be authenticated. 

Best regards

------------------------------
Florian Schmalz
------------------------------

Hello Herman,

thanks for your reply. 

Yes i use aruba switches. I will try it out the next time i am in the company and will give feedback after that. :)


------------------------------
Florian Schmalz
------------------------------

Original Message:
Sent: Nov 26, 2021 06:01 AM
From: Herman Robers
Subject: Correct Configuration for APs, Hubs, etc. with MAC Auth

Check this post for the answer. You need to (dynamically) switch to port mode after authentication, check the link to see how to do that.

Assuming you have ArubaOS Switches (you mentioned hpe egress).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 26, 2021 03:33 AM
From: Florian Schmalz
Subject: Correct Configuration for APs, Hubs, etc. with MAC Auth

Greetings!

i am currently putting a clearpass in operation on our main site. Last week i faced "major" problem while configuring ports with Access Points. My idea was it to authenticate the APs via MAC Auth - which so far works. The ports get tagged via hpe egress correctly and the access point is online after it got authenticated. But all the clients connected to the ap are also sending authentication requests to the switch / clearpass, which i dont need because the clients already authenticate themselfs via 8021x at the AP.

So what am i missing in my coniguration? I also will be taking ports with hub switches into mac auth and only want the switch to be authenticated. 

Best regards

------------------------------
Florian Schmalz
------------------------------

Ok so i just testet this configuration and it sadly does not work.

The AP gets authenticated via MAC auth but is not online afterwards. The clients connected to the AP are also still trying to authenticate themselfs again via MAC auth.

Here's the Acces Monitor Log from the authenticated AP.

------------------------------
Florian Schmalz
------------------------------

Original Message:
Sent: Nov 26, 2021 06:01 AM
From: Herman Robers
Subject: Correct Configuration for APs, Hubs, etc. with MAC Auth

Check this post for the answer. You need to (dynamically) switch to port mode after authentication, check the link to see how to do that.

Assuming you have ArubaOS Switches (you mentioned hpe egress).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 26, 2021 03:33 AM
From: Florian Schmalz
Subject: Correct Configuration for APs, Hubs, etc. with MAC Auth

Greetings!

i am currently putting a clearpass in operation on our main site. Last week i faced "major" problem while configuring ports with Access Points. My idea was it to authenticate the APs via MAC Auth - which so far works. The ports get tagged via hpe egress correctly and the access point is online after it got authenticated. But all the clients connected to the ap are also sending authentication requests to the switch / clearpass, which i dont need because the clients already authenticate themselfs via 8021x at the AP.

So what am i missing in my coniguration? I also will be taking ports with hub switches into mac auth and only want the switch to be authenticated. 

Best regards

------------------------------
Florian Schmalz
------------------------------