Security

 View Only
  • 1.  802.1x & MAB Services Enabled

    Posted Nov 06, 2024 07:07 PM

    Hi everyone.  I am testing a scenario where I have both WIRED 802.1X and MAB enabled as separate services within ClearPass.  I have client PC that is does NOT have EAP-TLS enabled, which fails 802.1X authentication, but is then given access via MAB.  My port authentication priority is set so that the client PC attempts to undergo 802.1x authentication first, followed by MAB:

     

    My 802.1x service is configured as follows:

    How do I prevent the client PC from authenticating via MAB as the fallback if it fails 802.1x?  I only want the MAB policy to take effect for devices which aren't capable of 802.1x.  I have confirmed that 802.1x policy does work, when I have the MAB policy disabled within ClearPass.  Please advise.   



  • 2.  RE: 802.1x & MAB Services Enabled

    Posted Nov 07, 2024 03:06 AM

    Hi

    Please share the configuration of your MAC athentication service and the Summary tab from Access Tracker of a succesful MAC authentication.

    A guess is that you are using the authentication method [Allow All MAC AUTH], this method will allow any MAC address to connect to the network, and you have to handle authorizations in the Enforcement policy, like only allow specific profiled device type and reject the rest.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: 802.1x & MAB Services Enabled

    Posted Nov 07, 2024 02:38 PM

    Hi Jonas,

    Here is my MAC Authentication service:

    Summary tab of a success MAB authentication:
    Thanks



  • 4.  RE: 802.1x & MAB Services Enabled

    Posted Nov 07, 2024 09:56 AM

    Set auth-priority to auth then MAC, that way a rejected 802.1X attempt will apply the reject.  A device that connects and doesn't respond to the EAP packets will get the MAC auth result.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: 802.1x & MAB Services Enabled

    Posted Nov 07, 2024 11:20 AM

    Please note that if you completely block clients that attempt 802.1X/authenticator but fail, it can be hard to recover from that situation.

    I would use the MAC authentication in that case to put them in a very limited role, maybe even with a captive portal explaining how people can recover from the situation. In most cases it's better to allow a client on the network, but controlled, instead of fully rejecting the authentication.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------