Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Error Code 209; No password in request; MAC authentication

  • 1.  Error Code 209; No password in request; MAC authentication

    Posted Apr 02, 2014 12:36 AM

    Hi,

     

    I am trying to configure MAC authentication with Juniper EX switch. But, I keep getting "No password in request" message in clearpass. Configuration on the switch is enabled for MAC RADIUS authentication.

     

    Thanks.

    Suresh



  • 2.  RE: Error Code 209; No password in request; MAC authentication

    Posted Apr 02, 2014 02:38 AM

    For MAC auth, Clearpass normally expects the username to be in the request in the password field also.

     

    If the Juniper switch isn't doing that, and you can't make it do it, you'll probably have to adjust your mac-auth policy or create another that doesn't look at the password field.

     



  • 3.  RE: Error Code 209; No password in request; MAC authentication

    Posted Apr 30, 2014 01:27 AM

    Do I need to adjust the clearpass profile?
    If you need to adjust if ClearPass, ClearPass should I support in any way ..?



  • 4.  RE: Error Code 209; No password in request; MAC authentication

    Posted May 06, 2014 07:42 AM

    for juniper i needed to add the MD5 authentication method instead of MAC auth (even with MAC auth configured on the juniper)



  • 5.  RE: Error Code 209; No password in request; MAC authentication

    Posted Feb 18, 2015 02:25 AM

    Sorry to dig up an old thread everyone, but i'm also experiancing this issue exactly as described.

     

    Other than enabling md5 as an authentication method, how can you configure ClearPass to not look at the password field? i've tried multiple combinations found on these forums but cannot seem to get this to work!

     

    Thanks in advance!



  • 6.  RE: Error Code 209; No password in request; MAC authentication

    Posted Feb 18, 2015 02:38 AM
      |   view attached

    If its juniper then I believe it is your only option. I did get this a while back but never had a chance to test.

     

    "I ran into this with Juniper a year ago. Working with tech, came up with the attached Auth source (rename to XML file).

     

    Don’t know what the “appuser” password is for connecting to SQL so you may have to change it."

     

    See attached or create a file named : Juniper_MAC_AuthSource.xml

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
      <TipsHeader exportTime="Wed Aug 15 15:22:55 CDT 2012" version="5.1"/>
      <AuthSources>
        <AuthSource description="Authenticate MAC addresses against local db" name="Juniper MAC Auth" isAuthorizationSource="true" type="Sql">
          <NVPair value="36000" name="cache_timeout"/>
          <NVPair value="tipsdb" name="db_name"/>
          <NVPair value="localhost" name="server"/>
          <NVPair value="appuser" name="login"/>
          <NVPair value="PostgreSQL" name="sql_driver"/>
          <NVPair value="" name="password"/>
          <NVPair value="10" name="timeout"/>
          <Filters>
            <Filter paramValues="" filterQuery="SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
    " filterName="Authentication"/>
            <Filter paramValues="" filterQuery="SELECT t1.status, (case when t2.device_family is NULL then False else True end) as is_profiled  FROM tips_endpoints t1 LEFT OUTER JOIN tips_endpoint_profiles t2 ON (t1.mac_address = t2.mac) WHERE t1.mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}')" filterName="Status">
              <Attributes>
                <Attribute isUserAttr="false" isRole="false" attrDataType="String" aliasName="Status" attrName="status"/>
                <Attribute isUserAttr="false" isRole="false" attrDataType="String" aliasName="IsProfiled" attrName="is_profiled"/>
              </Attributes>
            </Filter>
            <Filter paramValues="" filterQuery="SELECT t1.status, (case when t2.device_family is NULL then False else True end) as is_profiled  FROM tips_endpoints t1 LEFT OUTER JOIN tips_endpoint_profiles t2 ON (t1.mac_address = t2.mac) WHERE t1.mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}')" filterName="Profile">
              <Attributes>
                <Attribute isUserAttr="false" isRole="false" attrDataType="String" aliasName="MAC Vendor" attrName="mac_vendor"/>
                <Attribute isUserAttr="false" isRole="false" attrDataType="String" aliasName="Category" attrName="device_category"/>
                <Attribute isUserAttr="false" isRole="false" attrDataType="String" aliasName="OS Family" attrName="device_family"/>
                <Attribute isUserAttr="false" isRole="false" attrDataType="String" aliasName="Device Name" attrName="device_name"/>
              </Attributes>
            </Filter>
          </Filters>
        </AuthSource>
      </AuthSources>
    </TipsContents>

     

    Attachment(s)



  • 7.  RE: Error Code 209; No password in request; MAC authentication

    Posted Feb 18, 2015 03:54 AM

    Thanks Troy, I'll give it a shot and let you know how it goes.



  • 8.  RE: Error Code 209; No password in request; MAC authentication

    Posted Nov 07, 2016 09:12 AM

    Hi!

     

    Did the above solve your issue? I´m having the exact same thing.

     

    Cheers,



  • 9.  RE: Error Code 209; No password in request; MAC authentication

    Posted Aug 15, 2018 02:17 PM

    We are seeing this same error years later, was a resolution ever found?



  • 10.  RE: Error Code 209; No password in request; MAC authentication

    Posted May 30, 2019 06:18 PM

    Was anyone able to get the above solution to work? I'm also seeing issues with MAC address authentication working on Juniper switches if (and only IF) the devices are listed in the Guest Device repository.

     

    I imported the XML config listed above for the auth source and used appexternal account to read the tipsdb but still wasn't able to get this working.



  • 11.  RE: Error Code 209; No password in request; MAC authentication

    Posted May 30, 2019 06:28 PM

    I was actually able to get this working w/ TAC's help. The solution was to change the Authentication filter on the [Guest Device Repository] source to use the following query:

     

    I think this is a slightly different issue from what was described in the original thread post but I wanted to post here to document the solution.

     

    SELECT lower(regexp_replace(user_credential(password), '-', '', 'g')) AS User_Password,
           CASE WHEN enabled = FALSE THEN 225
                WHEN ((expire_time is not null AND expire_time <= now())) THEN 226
                ELSE 0
           END AS Account_Status, sponsor_name,
           CASE WHEN expire_time > now() THEN CAST(EXTRACT(epoch FROM (expire_time - NOW())) AS INTEGER)
                ELSE 0
           END AS remaining_expiration
    FROM tips_guest_users
    WHERE ((guest_type = 'DEVICE') AND (user_id = '%{Connection:Client-Mac-Address-Hyphen}'))


  • 12.  RE: Error Code 209; No password in request; MAC authentication

    Posted May 30, 2019 08:11 PM

    Glad you got it working. I've ran into a similar situation using Meru/FortiWifi. The controller, by default, sends the shared secret (WTH?) instead of the MAC address as the password. I beat my head against the wall for awhile before I started a wireshark capture and decrypted the packets. 

     

    Found that there is indeed a setting to change the password to the MAC address.

     



  • 13.  RE: Error Code 209; No password in request; MAC authentication

    Posted Oct 24, 2019 02:41 AM

    I have met with the same problem at Juniper switches ex2200-48p-4g. I got this error 209 with set 802.1x MAC address bypass. I experimentally found that it works if PAP protocol is set at Juniper switch.

     

    Working Juniper switch config for 802.1x MAC address bypass:

        set protocols dot1x authenticator interface ge-0/0/44.0 mac-radius restrict
       set protocols dot1x authenticator interface ge-0/0/44.0 mac-radius authentication-protocol pap

     

    It depends on the SW version of the switch as some older version does not support PAP protocol.

    It is not possible to set PAP protocol:

       Model: ex2200-48p-4g
       JUNOS Base OS Software Suite [12.3R9.4]

    It is possible to set PAP protocol:

       Model: ex2200-48p-4g
       Junos: 15.1R6.7

     

    Description of this Junmiper command: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/authentication-protocol-edit-mac-radius.html



  • 14.  RE: Error Code 209; No password in request; MAC authentication

    Posted Feb 25, 2020 01:30 PM

    Hi

     

    I hade the same error with MAC Authentication on Juniper EX3400 Switches. I had to enable “Mac Radius Authentication Protocol: EAP-MD5” on the interfaces. (It was not enabled by default)

    I had to add EAP MD5 and remove Mac Auth in the ClearPass Service under Authentication Methods