Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM - Enforcing MacAuth if 802.1x fails ?

Jump to Best Answer
  • 1.  CPPM - Enforcing MacAuth if 802.1x fails ?

    Posted Oct 25, 2017 04:49 AM

    Hi guys,

     

    Has anybody come up with a way to force a client to authenticate against a macAuth service in the case it failed to authenticate against an 802.1x service ?

     

     

    Imagine an unknown client connects to the network and has an 802.1x supplicant enabled, but without correct credentials and/or proper settings.

    From what I understand, this client would trigger an 802.1x service (if present) then would fail to authenticate and get rejected, without a chance to try MacAuth.

     

    What I would like is this client to be reliably redirected to a MacAuth service.

    Maybe by caching something during the 802.1x service ? Or maybe by a combination of NAD config + clever service ordering ?

     

    I'll try to achieve this in a lab, but I also wanted to ask you guys.

     

    Thanks in adavnce 

     

    Cheers



  • 2.  RE: CPPM - Enforcing MacAuth if 802.1x fails ?
    Best Answer

    Posted Oct 25, 2017 08:52 AM

    This is 100% dependent on the capability of the NAD. There is nothing ClearPass can do to steer this behavior. I assume you're talking about wired?



  • 3.  RE: CPPM - Enforcing MacAuth if 802.1x fails ?

    Posted Oct 25, 2017 09:01 AM

    Hi,

     

    Yes I was talking wired, NAD is an HP 5130.

     

    I've gone throught some of the docs and to this point I didn't find anything like "If dot1x failed then try MacAuth before setting the port to Unauthorized state".

    I still have some testing to do, maybe the switch tries both auth types consecutively anyway (if both are enabled on the port), but I seriously doubt it.

     

    Thanks for the reply



  • 4.  RE: CPPM - Enforcing MacAuth if 802.1x fails ?

    Posted Oct 25, 2017 09:05 AM
    Did you look at the Solution Guide for Wired Policy Enforcement? It covers the HPE 5130 in great detail.


  • 5.  RE: CPPM - Enforcing MacAuth if 802.1x fails ?

    Posted Oct 25, 2017 09:16 AM

    Oh nice ! Didn't see that one, thanks a lot :)