Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

802.1x and profiling port 2920 and Clearpass

Jump to Best Answer
  • 1.  802.1x and profiling port 2920 and Clearpass

    Posted Mar 12, 2018 10:59 AM

    Hi!

     

    I´m setting up 802.1x for employees and mac-auth for profiling and guestaccess on wired ports on a aruba 2920 switch with clearpass.

    Been using "Wired Policy Enforcement solution guide", excelent guide btw.

     

    I´ve setup a service for mac auth (allow all mac) and a service for 802.1x.

    It´s working fine in practice from what I can see in my lab right now.But I´m a bit worried since I´m seeing some mac-auths hitting the mac-auth service alongside the 802.1x service at almost the same time for my 802.1x configured client.

     

    I´ve tried changing quiet-period for mac auth on the port, but makes no difference.

     

    Is this normal ? It doesnt seem to affect the client, it stays on the employee network all the time. mac-auth does send out captiveportal for the client since it doesnt fit any guestroles in the mac service, but the correct 802.1x vlan seems to stay the same on the switch regardless. But I want to be sure before going forwards with deployment.

     

    oh, and I´m not using user-roles right now, Im using dynamically assigned vlans (via radius responses).



  • 2.  RE: 802.1x and profiling port 2920 and Clearpass

    Posted Mar 14, 2018 03:28 AM

    Bump.

     

    Anyone know if this is expected behavior ?

    As I said for every client auth time I get both mac and 802.1x roughly at the same time:

     

    8021port.PNG

     

    Just want to make sure it is the way it´s supposed to work in this case.



  • 3.  RE: 802.1x and profiling port 2920 and Clearpass
    Best Answer

    Posted Mar 14, 2018 06:05 AM
    Yes, that is the switch behavior at this time.


  • 4.  RE: 802.1x and profiling port 2920 and Clearpass

    Posted Mar 14, 2018 06:33 AM

    ok, thank you for the clarification. So I assume this wont affect the client because 802.1x auth always has higher priority on the switch than mac?

    So the only downside is a bit of more traffic.



  • 5.  RE: 802.1x and profiling port 2920 and Clearpass
    Best Answer

    Posted Mar 14, 2018 06:43 AM
    Correct


  • 6.  RE: 802.1x and profiling port 2920 and Clearpass

    Posted Mar 14, 2018 06:46 AM

    ok, thank you so much for the answers.



  • 7.  RE: 802.1x and profiling port 2920 and Clearpass

    Posted Mar 16, 2018 04:03 AM

    I´ve got a question on this. I wonder if Aruba/HPE are planning to introduce something similar to the authentication order/authentication priority cisco commands

     

    Regards,

    Kevin



  • 8.  RE: 802.1x and profiling port 2920 and Clearpass

    Posted Mar 16, 2018 04:06 AM
    Please speak with your Aruba account team. Roadmap cannot be discussed in a public forum.


  • 9.  RE: 802.1x and profiling port 2920 and Clearpass

    Posted Mar 16, 2018 04:46 AM

    Will do. Thanks!