Security

 View Only
Expand all | Collapse all

Clearpass MAC Auth with SHL issue

This thread has been viewed 38 times
  • 1.  Clearpass MAC Auth with SHL issue

    Posted Feb 16, 2024 10:10 AM

    Hi all,

    I'm trying to setup Clearpass MAC auth for both wireless and wired and I'm stuck because of two issues :

    1. I can successfully connect with wireless only after a successfull wired connection (despite Clearpass access tracker showing an ACCEPT if I try with Wireless first)
    2. When I move one MAC address from a SHL to another (or simply remove the MAC address) It won't immediately apply and keeps put me in the old VLAN instead of the new one or no VLAN. I did erase the endpoints, purging the auth cache on clearpass, removing the DHCP lease I don't know what else to do. Do you know if there is some other cache I need to purge ?

    Many thanks for your help.

    Cheers 



  • 2.  RE: Clearpass MAC Auth with SHL issue

    Posted Feb 16, 2024 10:22 AM

    Hi

    Regarding the first question yo have to set the port on the switch to device mode if you have authentication on the switch port. Otherwise the switch will also authenticate the client after the successful authentication done by the accesspoint.

    For your second question I don't understand if it's wired or wireless. But if it's wireless you need to clear the session cache, or wait untill it has timed out. Default 5 minutes.

    Best practice in ClearPass is to not utilize the Static Host Lists, as this is an old feature only left for compatibility reasons. Instead utilize either attributes in the Endpoints Repository or even better the Guest Device Repository. With the Guest Device Repository you can delegate rights for administration of the MAC addresses based on roles they are mapped to.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Clearpass MAC Auth with SHL issue

    Posted Feb 16, 2024 11:16 AM

    Thank you Jonas.

    For the First question, yes the goal at first is to authenticate on the access point with a PSK key then authenticate the MAC Address with clearpass through the switch. My AP is broadcasting more than one SSID and there are multiple VLANs behind so I obviously need to set the port on the switch to trunk mode.

    And I successfully setup the Guest Device Repository with the Wireless MAC Address (Clearpass ACCEPT) but I can't go further since the laptop can't connect to the AP even with the green light from clearpass :( 




  • 4.  RE: Clearpass MAC Auth with SHL issue

    Posted Feb 16, 2024 01:25 PM

    Hi

    What access points and switches do you have. I see in the screenshot that the service is named MAC_Auth_Cisco, so I suppose the switch is a Cisco switch.

    You should not try to do the VLAN mappin in the switch, instead send the VLAN to the AP by enabling MAC auth in the SSID in addition to the PSK. In that way the AP will send the MAC auth request to ClearPass and get a VLAN enforcement back and put the client on the correct VLAN. This can be done with both Aruba and Cisco AP's, and I guess most other brands as well.

    How many SSID´s do you have and why do you need several? With the VLAN enforcement you can have one single SSID and put clients on different VLAN's behind it. But if you have an open for guests and a 802.x for corporate devices in addition to a PSK SSID. In most cases this will solve most authentication cases.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Clearpass MAC Auth with SHL issue

    Posted Feb 19, 2024 04:52 AM

    Hi Jonas,

    Yes CISCO it is.

    We have 5 differents SSIDs because we are broadcasting some we don't directly own (we handle the IT infra of a conference / research center with partnerships with many different institutions).

    I've tried the Guest devices auth which is working but much more painfull adding the devices (~500) than with the Static hosts list.

    Can I enable the mac auth on the AP and set Clearpass as the source of MAC identification ?

    Thanks




  • 6.  RE: Clearpass MAC Auth with SHL issue

    Posted Feb 19, 2024 05:06 AM

    FYI : The clearpass auth source was already setup on the WLAN side :




  • 7.  RE: Clearpass MAC Auth with SHL issue

    Posted Feb 19, 2024 05:59 AM

    I just tried to disable the PSK auth and let only the MAC, I can't connect to the WLAN as well ... It's making me nuts >_<




  • 8.  RE: Clearpass MAC Auth with SHL issue

    Posted Feb 19, 2024 09:42 AM

    Hi

    Do you get any error messages in ClearPass Access Tracker? Can you share the output?

    If you don't get anything in Access Tracker, check in the Event log if you have error messages there indicating wrong Radius shared secret.

    Regarding adding devices to Guest Device repository you can do it by importing a csv. 1000 devices per import is possible and I would say it's very easy.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 9.  RE: Clearpass MAC Auth with SHL issue

    Posted Feb 20, 2024 02:32 AM

    Hi Jonas,

    The thing is the access tracker is accepting the auth :

    And I Agree, I can do xml import for guest devices, but much more fields to fill in the template than a static hosts list, I have like ~500 devices to import >_<




  • 10.  RE: Clearpass MAC Auth with SHL issue

    Posted Feb 20, 2024 02:51 AM

    Hi

    The enforcement profile, 958-Profile_GESDA, does this return a VLAN or VLAN name to the WLC? Do you have the matching VLAN or name configured in the WLC?

    Try to disable the MAC authentication as well and verify that you are able to connect to the WLAN, so you don't have any other issues.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 11.  RE: Clearpass MAC Auth with SHL issue

    Posted Feb 20, 2024 03:13 AM
    Edited by Fcbeng1202 Feb 20, 2024 03:14 AM

    Yes the VLAN exists in the WLC, here is also the profile on CP :

    Already tried to disable mac auth, I can connect but don't get any IP address/into any VLAN because that is also the role of Clearpass to attach the right VLAN depending on the device.

    I'm guessing clearpass and WLC don't communicate well since it is working for wired connections ... But like I wrote before, the strange thing is that I can connect to WLAN if I connected previously on ethernet with the same device ... 




  • 12.  RE: Clearpass MAC Auth with SHL issue

    Posted Feb 20, 2024 03:28 AM

    A wired autentication should not affect a wireless authentication as it's separate MAC addresses. I haven't worked so much with the Cisco WLC, and it's a few years ago I last logged into one. Thus I don't remember the exact configs needed. Have you confirmed that the VLAN itself is working?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 13.  RE: Clearpass MAC Auth with SHL issue

    Posted Feb 20, 2024 02:10 PM

    The ClearPass Canned POC Kit is available at Arubapedia for Partner: https://afp.arubanetworks.com/afp/index.php/Archive:ClearPass_Canned_POC_Kit

    There is a configuration example for Cisco WLC and ClearPass Guest.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------