Ok, I have to admit that I have not seen this auth domain setting on any of my customers over the 12 years I have been working with ClearPass. So I haven't tried to use it on a MAC authentication
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Feb 23, 2023 06:05 AM
From: Mauzr
Subject: CPPM + HP 5500 switch - MAC auth
Hi Jonas,
Thanks for reply, yes I know that feature, and using it:
But with no effect. It is working well with EAP-TLS authentication, but not with MAC auth.
And yes, customer want to add the auth domain.
V.
Original Message:
Sent: Feb 23, 2023 06:00 AM
From: jonas.hammarback
Subject: CPPM + HP 5500 switch - MAC auth
Hi Vaclac
Do you need to add the mac-authentication domain?
If you do you should be able to strip the domain from the user name in the service on the Authentication tab
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Feb 23, 2023 04:36 AM
From: Mauzr
Subject: CPPM + HP 5500 switch - MAC auth
Hi experts,
I have one problem with MAC authentication on HP 5500 Comware switch. When we are using the domain on switch side the MAC authentication is failing because Strip Username rules on CPPM side is not working. Here is an config example:
Switch config:
#
domain default enable aaa
#
mac-authentication timer offline-detect 600
mac-authentication timer quiet 180
mac-authentication domain aaa
#
radius scheme radius
server-type extended
primary authentication 10.135.24.100
primary accounting 10.135.24.100
secondary authentication 10.134.24.100
secondary accounting 10.134.24.100
user-name-format with-domain
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 3590 tagged
port hybrid vlan 749 untagged
port hybrid pvid vlan 749
mac-vlan enable
poe enable
mac-authentication max-user 2
mac-authentication domain aaa
qos wrr 5 group sp
qos trust dscp
port-security port-mode userlogin-secure-or-mac-ext
dot1x max-user 2
dot1x guest-vlan 749
dot1x auth-fail vlan 749
dot1x critical vlan 748
undo dot1x handshake
dot1x mandatory-domain aaa
undo dot1x multicast-trigger
dot1x unicast-trigger
dhcp-snooping information enable
#
And CLearPass side:
We cant use the Strip Username Rules with MAC auth?
Thanks and best regards
Vaclav