Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Wireless+Mac authentication.

This thread has been viewed 103 times
  • 1.  Clearpass Wireless+Mac authentication.

    Posted Aug 16, 2021 12:16 PM
    Hi everyone,

    We have successfully deployed ClearPass doing EAP-TLS for Wired and Wireless as well as Mac Authentication.
    However, one thing that I noticed is that the Wireless one is also doing Mac Authentication even though the wireless profile is configured for EAP-TLS.

    There are two problems that we have noticed with that.
    1 - If the wireless service is at the top, the device successfully authenticates using EAP, but then it fails when it performs MAC resulting in the device losing connectivity.

    2 - If I switch the order and put MAC at the top, it will fail, but then it will get connected as it fails back to EAP. The problem with that is the "noise" it creates when exporting the logs to our SIEM.

    The wireless profile is configured as Bridge, would that be the reason? 

    Thank you very much,

    ------------------------------
    Gilles Villeneuve
    ------------------------------


  • 2.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 17, 2021 03:33 AM
    Hello Gilles,
    from your description I have 2 ideas:

    • In your wireless authentication, do you have a button like "Perform additional MAC authentication" enabled? (when using mobility conductor, did you enable a mac-auth accidently in aaa-profile?)
    • When using bridge-mode APs, do you have wired port auth enabled on the switch? This way clients would auth against wireless first and then again on switchport. Tho avoid this, you have to set the switchport in Port-Auth mode instead of user-auth mode.

    Best regards Johannes

    ------------------------------
    Johannes Haberstroh
    ------------------------------



  • 3.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 17, 2021 03:19 PM
    Hi Railway,

    Thanks for you reply.

    In the wireless authentication, I couldn't find anything related to "perform additional Mac authentication".

    One thing that I have noticed is that if I indeed change the port to Multi-Domain / Multi Host, it works as expected. Different from Multi-Auth.

    ------------------------------
    Gilles Villeneuve
    ------------------------------



  • 4.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 18, 2021 06:14 AM
    I'm confused. You mention 'wireless' and 'change the port to Multi-Domain/Multi-Host', which is something wired...

    If you see a MAC authentication from your wired switch, for a wireless client that is connected to an AP that is connected to that switch, that is your issue. Make sure that APs connected to your switch are either exempted from wired authentication, or if you are doing authentication make sure the MAC addresses behind the AP are not subject to authentication. For ArubaOS/CX switches, make sure these are (dynamically) configured for port mode.

    In case you are unsure, it may help to have someone look together with you, like your Aruba partner or Aruba support, to see what's happening.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 18, 2021 12:19 PM
    Hi Hearman,

    Thanks for your reply.
    Yes, you are correct. The AP in bridge mode is connected to our access switch which is configured to authenticate against ClearPass.

    What it seems to happen is that if the port (Switch) that goes to the AP is set as Multi-Auth, it performs Mac authentication for every Wireless client connected to that AP regardless of it being already authenticated via 802.1x.

    On a different switch, I have changed the port to instead of being Multi-Auth to be MD/MH, after doing that I can see only one Mac authentication (The AP) and the Wireless client only on my 802.1x service.

    Thank you,

    ------------------------------
    Gilles Villeneuve
    ------------------------------



  • 6.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 23, 2021 05:50 AM
    Please be aware that Multi-domain/multi-host will effectively disable any authentication for additional devices on the same switch port. If someone places a hub/switch on the port, the first device will authenticate, and all other devices will get that same access without authentication.

    Don't think you mentioned the switch type, but if you can selectively by returning RADIUS attributes switch the port mode only for APs, that would be more secure. ArubaOS Switch and AOS-CX can do that. For other brands of switches, it probably depends on the brand/type.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 23, 2021 10:47 AM
    Hi Herman,

    Thanks for your reply.

    We are using Dell OS switches.
    Regarding the Multi-Domain/Multi-Host, thanks for bringing it to my attention. I don't know why, but I had understood Multi-Host/Multi-Auth would allow each Mac to be authenticated individually, but I guess in this case it would be the Multi-Authentication mode.

    One question in this topic, in a case where I have a downstream phone or switch and I want to place them in different VLAN based on certain attributes, how would it behave if they are in the same switch port? Can I use the standard access mode with ClearPass returning the VLAN ID? or they should be "general"?

    Thank you,

    ------------------------------
    Gilles Villeneuve
    ------------------------------



  • 8.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 23, 2021 11:31 AM
    From what I know for other switches, there multi-auth is authenticating each individual client (MAC), and you can return different VLANs for different devices on the same port. With multi-domain, you authenticate the device on the native VLAN (example PC) and the device on the tagged VLAN (like your phone), which probably are seen as two domains (data, voice). And multi-host authenticates the first, and allows everything else on the same port (with the same VLAN, dACLs, etc).

    Recommended is multi-auth in that case, but for APs as you found out there needs to be an exception, but you probably need to send tagged VLANs as well to your AP. I don't know how to do that on Dell switches though, and one pragmatic approach might be to put the APs on a static configured port instead of doing 802.1X/MAC auth; if you can't make that work.

    For device-behind-phone, what works is to have both devices authenticated, just assign different VLANs. The phone in that case does not require the voice VLAN as tagged. Some switches can also assign tagged VLANs in case your phone has to use tagged VLANs.

    Another switch behind your controlled switch port should be avoided, but it would be a similar scenario as your AP, but if you don't control that switch it is important to authenticate each of your devices (multi-auth). Unmanaged switches don't have an IP by their own, so you can't really profile those.

    As Dell has sold ClearPass in the past, you may check with Dell Support if they have proper documentation on how to best deploy in your situation.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 23, 2021 12:20 PM
    Hi Herman,

    Yes, you are completely right, I appreciate all the help.

    I got the change today to play with one of the switches in an isolated environment, I will perform all the proper tests and let you know how it goes.

    Thank you

    ------------------------------
    Gilles Villeneuve
    ------------------------------



  • 10.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 24, 2021 02:51 PM
    Hi Herman,

    Just wanted to provide an update on it.
    Yes, you are correct, by returning the VLANs through enforcement profile, it does attach the device to the proper VLAN.

    I changed the switch port where the AP is connected to Multi-Auth, which is authenticating each and every device connected to that AP (as it should).

    However, it authenticates using MAC authentication only, instead of 802.1x. This is where I couldn't figure out how to make it authenticate over 802.1x. I did try to have the 802.1x service as preference than MAC authentication, but on the radius request, it uses the mac-address as username instead of the certificate for 802.1x

    ------------------------------
    Gilles Villeneuve
    ------------------------------



  • 11.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 25, 2021 05:19 AM
    Gilles,

    Are you talking about the AP itself not doing 802.1X to the switch? That is configured on the AP.
    If you refer to clients that are behind the AP, those will not be able to do 802.1X as they have the AP as point of connection. They (can) do 802.1X to the AP, but not to the switch that is behind it.

    You configure 802.1X on the point where you access the network, which is for wireless clients on the AP, for wired clients it is on the switch port.
    If you connect an AP, with wireless clients behind it, to a wired port, you either make it a static configured port, without any 802.1X or MAC authentication, which is the 'easy way'. Or you check how you can dynamically configure the switch port (RADIUS VSAs) to switch to host/multi-domain when your AP authenticates, as it does not make sense to authenticate twice (and that does not really work either as you have found out).

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 12.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 25, 2021 10:09 AM
    Hi Herman,


    Thanks for the great details. That's correct. I am referring to the device that connects to the AP. It authenticates twice based on what I noticed, and as you confirm. The second authentication uses the switch as NAS and only MAC, I also noticed that MAC authentication has a Machine Authenticated role attached to it, which I believe it is due to cache of the wireless 802.1x being successfully authentication.

    I thought about using the interface as static or Host/MD, but using static I won't be able to do dynamic VLAN as I would like to provide to my users the same experience. (E.g. Device Unhealthy, go to the VLAN quarantine, device healthy, go to Data VLAN).

    ------------------------------
    Gilles Villeneuve
    ------------------------------



  • 13.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 26, 2021 04:14 AM
    Gilles,

    If the switchport that connects to the AP has all the possible VLANs assigned as tagged, you can leave that configuration static. On other switch ports (connecting to user devices) you can still assign dynamic VLAN. During the authentication on the AP, you can do the same for wireless users as the AP is 'trusted' from the network and can place the users in any VLAN that is available.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 14.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 27, 2021 05:31 PM
    Hi Herman,

    Ohh, I see. So if I have all the vlans on that switchport (APs), and configure the enforcement profile to return the proper VLAN, the AP would just assigned it to the proper VLAN?

    I will be testing it out early next week.

    Thank you,

    ------------------------------
    Gilles Villeneuve
    ------------------------------



  • 15.  RE: Clearpass Wireless+Mac authentication.

    Posted Aug 30, 2021 04:44 AM
    Yes, and the AP is the device that authenticates and assigns roles and VLANs, the switch just allows that traffic through. The connection to the AP is  for your switch similar how you would create an uplink/trunkl to another switch.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 16.  RE: Clearpass Wireless+Mac authentication.

    Posted Sep 01, 2021 11:32 AM
    Hi Herman,

    Hope you are doing well.

    I just did the testing.

    Switch -> AP (Trunk with all VLANs). The AP is set to authorized so that we avoid those multiple authentications.

    However, if the enforcement profile returns VLAN 90 (example), the AP still assign the device to the default vlan set on that port.

    Thank you,

    ------------------------------
    Gilles Villeneuve
    ------------------------------



  • 17.  RE: Clearpass Wireless+Mac authentication.

    Posted Sep 02, 2021 06:01 AM
    What attributes does ClearPass return to your AP?
    What type of AP is it?

    If it is an Aruba AP, and you tried the default VLAN assignment (with IETF-Tunnel-Group-Id), try to return the VLAN with the Aruba-User-VLAN attribute.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 18.  RE: Clearpass Wireless+Mac authentication.

    Posted Sep 02, 2021 07:47 AM
    Hi Herman,

    I am returning the same ones that I return when it is wired. (Tunnel Private Group ID).
    The AP that I am using is from Fortinet. I checked their documentation, they do say it supports dynamic VLAN, but it looks like I need to have an interface with different vlans for that wireless.
    FortiWiFi and FortiAP Configuration Guide | FortiAP / FortiWiFi 7.0.1 | Fortinet Documentation Library

    Thank you,

    ------------------------------
    Gilles Villeneuve
    ------------------------------



  • 19.  RE: Clearpass Wireless+Mac authentication.

    Posted Sep 02, 2021 07:53 AM
    Seems you have to explicitly enable 'dynamic vlan' in your ssid configuration: set dynamic-vlan enable

    Assume you did that, then if you return the attributes in the documentation, and the AP does not assign the dynamic vlan, I would contact the Fortinet TAC.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 20.  RE: Clearpass Wireless+Mac authentication.

    Posted Sep 17, 2021 07:45 AM
    Hi everybody,

    hope my message fits this discussion:

    I have a quite similiar problem. I´ve implemented a Wired-MAC based Service for my switch ports. The service checks the category of the device, which is connected to the switch (Computer,VoIP Phone,Access Point).
    This works fine, the AccessPoint is recognized correctly and the appropiate VLANs are assigned (one untagged VLAN for the AP and two tagged VLANs).
    If I now try to establish a WLAN connection the correct service is hit and the correct profile is assigned. But I looks like, if the VLANs isn´t assigned correctly (The client didn´t get an IP address, so I guess it´s not in the correct VLAN).
    If I connect the AccessPoint to a port where I assign the VLANs (one unttagged, two tagged) static, everything is working fine.

    I use an Aruba IAP and and Aruba Switch (2530).

    Hope it´s okay to use this discussion instead of creating a new one....

    ------------------------------
    Matthias Pohl
    ------------------------------



  • 21.  RE: Clearpass Wireless+Mac authentication.

    Posted Sep 17, 2021 09:54 AM
    Yes, please open a new discussion. This discussion is about Dell switches and Fortinet.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------