From what I know for other switches, there multi-auth is authenticating each individual client (MAC), and you can return different VLANs for different devices on the same port. With multi-domain, you authenticate the device on the native VLAN (example PC) and the device on the tagged VLAN (like your phone), which probably are seen as two domains (data, voice). And multi-host authenticates the first, and allows everything else on the same port (with the same VLAN, dACLs, etc).
Recommended is multi-auth in that case, but for APs as you found out there needs to be an exception, but you probably need to send tagged VLANs as well to your AP. I don't know how to do that on Dell switches though, and one pragmatic approach might be to put the APs on a static configured port instead of doing 802.1X/MAC auth; if you can't make that work.
For device-behind-phone, what works is to have both devices authenticated, just assign different VLANs. The phone in that case does not require the voice VLAN as tagged. Some switches can also assign tagged VLANs in case your phone has to use tagged VLANs.
Another switch behind your controlled switch port should be avoided, but it would be a similar scenario as your AP, but if you don't control that switch it is important to authenticate each of your devices (multi-auth). Unmanaged switches don't have an IP by their own, so you can't really profile those.
As Dell has sold ClearPass in the past, you may check with Dell Support if they have proper documentation on how to best deploy in your situation.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 23, 2021 10:46 AM
From: Gilles Villeneuve
Subject: Clearpass Wireless+Mac authentication.
Hi Herman,
Thanks for your reply.
We are using Dell OS switches.
Regarding the Multi-Domain/Multi-Host, thanks for bringing it to my attention. I don't know why, but I had understood Multi-Host/Multi-Auth would allow each Mac to be authenticated individually, but I guess in this case it would be the Multi-Authentication mode.
One question in this topic, in a case where I have a downstream phone or switch and I want to place them in different VLAN based on certain attributes, how would it behave if they are in the same switch port? Can I use the standard access mode with ClearPass returning the VLAN ID? or they should be "general"?
Thank you,
------------------------------
Gilles Villeneuve
Original Message:
Sent: Aug 23, 2021 05:49 AM
From: Herman Robers
Subject: Clearpass Wireless+Mac authentication.
Please be aware that Multi-domain/multi-host will effectively disable any authentication for additional devices on the same switch port. If someone places a hub/switch on the port, the first device will authenticate, and all other devices will get that same access without authentication.
Don't think you mentioned the switch type, but if you can selectively by returning RADIUS attributes switch the port mode only for APs, that would be more secure. ArubaOS Switch and AOS-CX can do that. For other brands of switches, it probably depends on the brand/type.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 18, 2021 12:19 PM
From: Gilles Villeneuve
Subject: Clearpass Wireless+Mac authentication.
Hi Hearman,
Thanks for your reply.
Yes, you are correct. The AP in bridge mode is connected to our access switch which is configured to authenticate against ClearPass.
What it seems to happen is that if the port (Switch) that goes to the AP is set as Multi-Auth, it performs Mac authentication for every Wireless client connected to that AP regardless of it being already authenticated via 802.1x.
On a different switch, I have changed the port to instead of being Multi-Auth to be MD/MH, after doing that I can see only one Mac authentication (The AP) and the Wireless client only on my 802.1x service.
Thank you,
------------------------------
Gilles Villeneuve
Original Message:
Sent: Aug 18, 2021 06:14 AM
From: Herman Robers
Subject: Clearpass Wireless+Mac authentication.
I'm confused. You mention 'wireless' and 'change the port to Multi-Domain/Multi-Host', which is something wired...
If you see a MAC authentication from your wired switch, for a wireless client that is connected to an AP that is connected to that switch, that is your issue. Make sure that APs connected to your switch are either exempted from wired authentication, or if you are doing authentication make sure the MAC addresses behind the AP are not subject to authentication. For ArubaOS/CX switches, make sure these are (dynamically) configured for port mode.
In case you are unsure, it may help to have someone look together with you, like your Aruba partner or Aruba support, to see what's happening.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 17, 2021 03:18 PM
From: Gilles Villeneuve
Subject: Clearpass Wireless+Mac authentication.
Hi Railway,
Thanks for you reply.
In the wireless authentication, I couldn't find anything related to "perform additional Mac authentication".
One thing that I have noticed is that if I indeed change the port to Multi-Domain / Multi Host, it works as expected. Different from Multi-Auth.
------------------------------
Gilles Villeneuve
Original Message:
Sent: Aug 17, 2021 03:32 AM
From: Johannes Haberstroh
Subject: Clearpass Wireless+Mac authentication.
Hello Gilles,
from your description I have 2 ideas:
- In your wireless authentication, do you have a button like "Perform additional MAC authentication" enabled? (when using mobility conductor, did you enable a mac-auth accidently in aaa-profile?)
- When using bridge-mode APs, do you have wired port auth enabled on the switch? This way clients would auth against wireless first and then again on switchport. Tho avoid this, you have to set the switchport in Port-Auth mode instead of user-auth mode.
Best regards Johannes
------------------------------
Johannes Haberstroh
Original Message:
Sent: Aug 16, 2021 12:15 PM
From: Gilles Villeneuve
Subject: Clearpass Wireless+Mac authentication.
Hi everyone,
We have successfully deployed ClearPass doing EAP-TLS for Wired and Wireless as well as Mac Authentication.
However, one thing that I noticed is that the Wireless one is also doing Mac Authentication even though the wireless profile is configured for EAP-TLS.
There are two problems that we have noticed with that.
1 - If the wireless service is at the top, the device successfully authenticates using EAP, but then it fails when it performs MAC resulting in the device losing connectivity.
2 - If I switch the order and put MAC at the top, it will fail, but then it will get connected as it fails back to EAP. The problem with that is the "noise" it creates when exporting the logs to our SIEM.
The wireless profile is configured as Bridge, would that be the reason?
Thank you very much,
------------------------------
Gilles Villeneuve
------------------------------