Security

last person joined: 4 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass - Known endpoint - multiple MAC authentication sources

Jump to Best Answer
  • 1.  Clearpass - Known endpoint - multiple MAC authentication sources

    Posted Aug 06, 2019 06:32 AM

    Hi all, hoping you can assist! (running latest 6.8.1 service pack)

     

    I've added an additional sql database as an authentication source (contains MAC addresses amungst other attributes).  What I'm finding is if I use this in a service with endpoint reposity authentication source also configured, I am unable to authenticate the device when using in a MAC auth service.

     

    If I use the authentication source on its own in a service (can be the exact same service or copy service) the authentication/autorization succeeds and there is no error in the access tracker!

     

    After some troubleshooting, it turns out this is down to the known flag for the endpoint.

    If known endpoint the service rejects, if unknown endpoint the service authorizes correctly.

     

    Could someone explain this behaviour?


    When authenticating devices with 802.1x we are setting the known flag - I suppose we could not bother doing this, but it would be helpful to understand pro's & con's.

     

    Thanks in advance!



  • 2.  RE: Clearpass - Known endpoint - multiple MAC authentication sources

    Posted Aug 06, 2019 06:54 AM

    Are you using any service rules on the service that may prevent the request from hitting the service?



  • 3.  RE: Clearpass - Known endpoint - multiple MAC authentication sources

    Posted Aug 06, 2019 07:10 AM

    @Fabian Klaring wrote:

    Are you using any service rules on the service that may prevent the request from hitting the service?


    Thanks for responding, nothing special, just out of the box:

    CPPM-MAC-ServiceRules.jpg

    and not forgetting that changing the known and unknown flags for the endpoint changes the behaviour.



  • 4.  RE: Clearpass - Known endpoint - multiple MAC authentication sources

    Posted Sep 05, 2019 09:53 AM

    Anyone any further thoughts on this one?  The difference between known and unknown endpoints basically?

    (Updated to 6.8.2 with same result)



  • 5.  RE: Clearpass - Known endpoint - multiple MAC authentication sources

    Posted Sep 05, 2019 10:35 AM

    Are you using the default [Mac Auth] method?

     

    Go to Authentication > Methods. Click on the one you are using and check whether "Allow Unknown endhosts" is enabled or disabled.



  • 6.  RE: Clearpass - Known endpoint - multiple MAC authentication sources

    Posted Sep 05, 2019 10:49 AM

    Thanks for the prompt reply,

    Am using the "Allow All MAC Auth" as this one has allow unknown endpoints ticked. 

    (you are correct , the default Mac Auth doesn't have unknown endpoints ticked, but not using that one).

     



  • 7.  RE: Clearpass - Known endpoint - multiple MAC authentication sources
    Best Answer

    Posted Sep 05, 2019 01:29 PM

    There is somethig else at play here. If you are using Allow All MAC Auth, only use Endpoint Repository as Authentication Source and use your external DB for Authorization only.

    You can paste screenshots of your service or simply call support to fix it.



  • 8.  RE: Clearpass - Known endpoint - multiple MAC authentication sources

    Posted Sep 06, 2019 08:48 AM

    Thanks for the reply, yes just leaving the defualt endpoints repository as the authentication source and adding the external DB to authorization sources does the trick!