Security

 View Only
last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM + HP 5500 switch - MAC auth

This thread has been viewed 17 times
  • 1.  CPPM + HP 5500 switch - MAC auth

    Posted Feb 23, 2023 04:37 AM

    Hi experts,

    I have one problem with MAC authentication on HP 5500 Comware switch. When we are using the domain on switch side the MAC authentication is failing because Strip Username rules on CPPM side is not working. Here is an config example:

    Switch config:

    #
     domain default enable aaa
    #
     mac-authentication timer offline-detect 600
     mac-authentication timer quiet 180
     mac-authentication domain aaa
    #

    radius scheme radius
     server-type extended
     primary authentication 10.135.24.100
     primary accounting 10.135.24.100
     secondary authentication 10.134.24.100
     secondary accounting 10.134.24.100
     user-name-format with-domain
    #
    interface GigabitEthernet1/0/1
     port link-mode bridge
     port link-type hybrid
     undo port hybrid vlan 1
     port hybrid vlan 3590 tagged
     port hybrid vlan 749 untagged
     port hybrid pvid vlan 749
     mac-vlan enable
     poe enable
     mac-authentication max-user 2
     mac-authentication domain aaa
     qos wrr 5 group sp
     qos trust dscp
     port-security port-mode userlogin-secure-or-mac-ext
     dot1x max-user 2
     dot1x guest-vlan 749
     dot1x auth-fail vlan 749
     dot1x critical vlan 748
     undo dot1x handshake
     dot1x mandatory-domain aaa
     undo dot1x multicast-trigger
     dot1x unicast-trigger
     dhcp-snooping information enable
    #

    And CLearPass side:

    We cant use the Strip Username Rules with MAC auth?

    Thanks and best regards

    Vaclav



  • 2.  RE: CPPM + HP 5500 switch - MAC auth

    Posted Feb 23, 2023 06:01 AM

    Hi Vaclac

    Do you need to add the mac-authentication domain?

    If you do you should be able to strip the domain from the user name in the service on the Authentication tab



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: CPPM + HP 5500 switch - MAC auth

    Posted Feb 23, 2023 06:06 AM

    Hi Jonas,

    Thanks for reply, yes I know that feature, and using it:

    But with no effect. It is working well with EAP-TLS authentication, but not with MAC auth. 

    And yes, customer want to add the auth domain.

    V.




  • 4.  RE: CPPM + HP 5500 switch - MAC auth

    Posted Feb 23, 2023 09:49 AM

    Ok, I have to admit that I have not seen this auth domain setting on any of my customers over the 12 years I have been working with ClearPass. So I haven't tried to use it on a MAC authentication



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: CPPM + HP 5500 switch - MAC auth

    Posted May 26, 2023 09:27 AM

    You can change this parameter in your radius profile:

    radius scheme radius
     server-type extended
     primary authentication 10.135.24.100
     primary accounting 10.135.24.100
     secondary authentication 10.134.24.100
     secondary accounting 10.134.24.100
     user-name-format with-domain

    change it to user-name-format without-domain