Security

 View Only
last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass / Access Switch - Timeout before accepting MAB

This thread has been viewed 20 times

  • 1.  ClearPass / Access Switch - Timeout before accepting MAB

    Posted Jun 03, 2021 08:54 AM
    Hi all,

    I need help with configuring my Dell N2048 access switch. All ports configured have 802.1x and failover to MAB configured. 

    In ClearPass I have successfully setup two wired services, one for 802.1x and one for MAC-Authentication Bypass. This works as intended, but the MAC-based clients will authenticate after +/- 110 seconds after connecting the cable. I would like to reduce the time that it takes for the switch to failover from 802.1x to MAB. Using this, devices like VoIP phones do not have to wait +/- 2 minutes before getting access to the network. 

    My question: What configuration do I need to tweak to achieve this? 

    This is my current access switch port-configuration: 
    !
interface Gi1/0/1
description "Dot1x & MAB"
spanning-tree portfast
switchport mode general
authentication host-mode multi-domain
authentication event fail action authorize vlan <UNAUTHED-VLAN>
authentication event no-response action authorize vlan <UNAUTHED-VLAN>
authentication event server dead action authorize vlan <UNAUTHED-VLAN>
authentication event server alive action reinitialize
authentication periodic
dot1x timeout tx-period 10
dot1x max-reauth-req 10
dot1x max-req 3
mab
authentication order dot1x mab
authentication priority dot1x mab
exit
!


    Thanks in advance!



    ------------------------------
    Lex
    ------------------------------


  • 2.  RE: ClearPass / Access Switch - Timeout before accepting MAB
    Best Answer

    Posted Jun 03, 2021 11:42 AM

    This question is probably better suited on a dell forum, since Clearpass seems to be functioning as intended.

    That being said, I'm assuming the Dell Switch is operating the same way Cisco does (given it's similar syntax)

    Your dot1x timeout is (max-reauth-req +1) * tx-period

    So for you, it's max-reauth-req (10) +1 * 10

    so 11*10 = 110 seconds.

    I'd recommend changing those two values so that way the total becomes something more acceptable in your environment 



    ------------------------------
    Christopher Wickline
    ------------------------------

    Original Message


  • 3.  RE: ClearPass / Access Switch - Timeout before accepting MAB

    Posted Jun 04, 2021 03:41 AM
    Hi Christopher,

    Thanks for your explanation, it makes sense and I will test this in my lab-environment! 

    ------------------------------
    Lex
    ------------------------------

    Original Message