last person joined: 22 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

MAC Auth Issues

Jump to Best Answer
  • 1.  MAC Auth Issues

    Posted Jun 03, 2015 03:37 PM

    Using a Cisco 3750x and a test laptop with 802.1x authentication off.  Trying to get ClearPass to allow access via MAC Authentication.  Created a Service with the following parameters:


    Service Tab

    Type = Connection, Name = Client-MAC-Address-NoDelim, Operator = EQUALS, Value = %{RADIUS:IETF:User-Name}

    Type = Radius:IETF, Name = NAS-Port-Type, Operator = EQUALS, Value = Ethernet (15)

    Type = Radius:IETF, Name = Service-Type, Operator = EQUALS, Value = Call-Check (10)


    Authentication Tab

    Authentication Method = [Allow All MAC AUTH]

    Authentication Sources = [Endpoints Repository][Local SQL B]


    Authorization Tab

    Additional authorization.... = [Endpoints Repository][Local SQL DB]


    Roles Tab

    -NONE-  We are not using roles.  Just a basic allow/deny.  The VLAN configured on the switchport will be used for VLAN assignment.  


    Enforcement Tab

    Default Profile = [Deny Access Profile]

    Rules Evaluation Algorithm = first-applicable

    Conditions = Authorization:[Endpoints Repository]:Category EQUALS Computer  AND

                         Authorization:[Endpoints Repository]:Status EQUALS Known

    Enforcement Profiles = [Allow Access Profile]


    Profiler Tab

    Endpoint Classification = Any Category/OS Family/Name

    RADIUS CoA Action = [Cisco - Terminate Session]


    Here is how the Cisco switch port is configured:

    interface GigabitEthernet1/0/1
    switchport access vlan 29
    switchport mode access
    switchport voice vlan 129
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    dot1x pae authenticator
    dot1x timeout server-timeout 30
    dot1x timeout tx-period 10
    dot1x max-req 3
    dot1x max-reauth-req 10
    spanning-tree portfast


    With all of that configured, the laptop does not get on the network.  Access tracker shows the following: 

    Access Tracker.JPG 



    This makes sense because the Service is set to look for the Category of "Computer" and a Status of "Known" in the Endpoints DB.  However, ClearPass will not fully profile the device so that it can be classifiied as a Computer.  The Profiled status is 'no'. 




    What am I missing here?  Why won't ClearPass profile this device? Once profiled it should get on with no problems, but getting to this point has been quite challenging.  What is the flow of a MAC Auth?  Does the device need to be allowed on with DHCP only in order to be fingerprinted, THEN have the Service applied?  Confused as to the flow. 



  • 2.  RE: MAC Auth Issues

    Posted Jun 03, 2015 03:40 PM
    Yes, the device will need to be let on in a limited role to allow it to be profiled, then you can send a CoA or bounce port to have them ew authenticate after the profile.

    You can do this by enabling the profile option in the service, select computer and use the Cisco Terminate Session option.


  • 3.  RE: MAC Auth Issues

    Posted Jun 03, 2015 03:49 PM

    Thanks for the quick reply, Tim.  Unfortunately it's still not working.  I've been using what you had suggested all along, with the exception of the Endpoint Classification being set as the catch-all "Any Category/OS Family/Name".  Changing that to "Computer" had no effect. 


  • 4.  RE: MAC Auth Issues

    Posted Jun 03, 2015 03:51 PM
    Do you have DHCP helper addresses on your wired network pointing to ClearPass?


  • 5.  RE: MAC Auth Issues

    Posted Jun 03, 2015 03:53 PM

    Yup.  First thing I did before getting going with the service configuration.

  • 6.  RE: MAC Auth Issues

    Posted Jun 03, 2015 04:09 PM
    What does the output tab show on your access tracker. I see the COA tab there. So either it is working or you did a manual COA.

  • 7.  RE: MAC Auth Issues

    Posted Jun 03, 2015 04:12 PM

    Here's what I get...



  • 8.  RE: MAC Auth Issues
    Best Answer

    Posted Jun 03, 2015 04:14 PM
    You need to change the default role to from deny access to a VLAN that only allows DNS and DHCP. That way the device will get profiled and then a COA is issued. Just like Tim suggested earlier.

  • 9.  RE: MAC Auth Issues

    Posted Jun 03, 2015 04:14 PM
    If you plug a client in to a port with authentication disabled, and it successfully has network address, does it show up in ClearPass as profiled?


  • 10.  RE: MAC Auth Issues

    Posted Jun 04, 2015 10:18 AM

    Yes Tim, when I plug the laptop into a non-dot1x/MAB port it gets profiled perfectly fine.  What could be in the dot1x/MAB switchport config that could be the hangup?


  • 11.  RE: MAC Auth Issues

    Posted Jun 05, 2015 11:56 AM

    Adding a dead-end VLAN with an IP Helper pointing at ClearPass did the trick. Device was then profiled, marked as 'known' and allowed on.  Thanks!

  • 12.  RE: MAC Auth Issues

    Posted Oct 31, 2019 04:45 AM


    @RyanNetEng wrote:

    Adding a dead-end VLAN with an IP Helper pointing at ClearPass did the trick. Device was then profiled, marked as 'known' and allowed on.  Thanks!

    Dear Ryan,

    Could you please elaborate on this? Do you mean you added a dACL to the service to return a dead vlan with only dhcp access?