Hi all, hoping you can assist! (running latest 6.8.1 service pack)
I've added an additional sql database as an authentication source (contains MAC addresses amungst other attributes). What I'm finding is if I use this in a service with endpoint reposity authentication source also configured, I am unable to authenticate the device when using in a MAC auth service.
If I use the authentication source on its own in a service (can be the exact same service or copy service) the authentication/autorization succeeds and there is no error in the access tracker!
After some troubleshooting, it turns out this is down to the known flag for the endpoint.
If known endpoint the service rejects, if unknown endpoint the service authorizes correctly.
Could someone explain this behaviour?
When authenticating devices with 802.1x we are setting the known flag - I suppose we could not bother doing this, but it would be helpful to understand pro's & con's.
Thanks in advance!
Are you using any service rules on the service that may prevent the request from hitting the service?
@Fabian Klaring wrote:Are you using any service rules on the service that may prevent the request from hitting the service?
Thanks for responding, nothing special, just out of the box:
and not forgetting that changing the known and unknown flags for the endpoint changes the behaviour.
Anyone any further thoughts on this one? The difference between known and unknown endpoints basically?
(Updated to 6.8.2 with same result)
Are you using the default [Mac Auth] method?
Go to Authentication > Methods. Click on the one you are using and check whether "Allow Unknown endhosts" is enabled or disabled.
Thanks for the prompt reply,
Am using the "Allow All MAC Auth" as this one has allow unknown endpoints ticked.
(you are correct , the default Mac Auth doesn't have unknown endpoints ticked, but not using that one).
There is somethig else at play here. If you are using Allow All MAC Auth, only use Endpoint Repository as Authentication Source and use your external DB for Authorization only.You can paste screenshots of your service or simply call support to fix it.
Thanks for the reply, yes just leaving the defualt endpoints repository as the authentication source and adding the external DB to authorization sources does the trick!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.