Security

 View Only
  • 1.  Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec

    Posted Jul 30, 2024 03:25 AM

    Hello,

    I'm looking to implement dynamic MACsec based on a key distributed by ClearPass. To do this, I need to send back the attribute "EAP-Key-Name". I see that this attribute can be defined in an Enforcement Profile:

    From FreeRADIUS documentation, I see that it should be equal to the EAP-Session-ID:
    However, I'm unable to find how to set EAP-Key-Name equal to the EAP-Session-ID. Any help with that would be very useful :)

    Thanks in advance,
    Mathias


  • 2.  RE: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec

    Posted Jul 30, 2024 10:21 PM

    No need to specify that in an enforcement profile.

    ClearPass automatically include EAP-Key-Name with value in Access-Accept for MACSec request. That will contains EAP-Key-Name in Access-Request.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec

    Posted Jul 30, 2024 11:11 PM

    Hello Ariyap,

    Thanks for your answer, but during my testing ClearPass did not send the EAP-Key-Name.

    Access-Request with EAP-Key-Name:

    Access-Accept answering this Access-Request:

    I'm using ClearPass 6.11.6, any specific version that will support that?

    Thanks and regards,

    Mathias




  • 4.  RE: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec

    Posted Jul 30, 2024 11:23 PM

    I am not sure but I recommend using 6.11.9 as it is the recommended version for the new sec advisory that was published.

    just test it with that version and let us know. BTW is that a CX switch?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec

    Posted Jul 31, 2024 03:04 AM

    I just tested with ClearPass 6.11.9, same issue :(

    No, I'm not using a CX switch, I'm using an Alcatel-Lucent Enterprise OmniSwitch 6860N-P24M

    Here is the flow with ISE:




  • 6.  RE: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec

    Posted Jul 31, 2024 03:32 AM

    Here is a video on CX + ClearPass and Host MACsec. It includes some packet captures, so may help to further analyze or compare the difference from what you see.

    To be honest, host MACsec is not widely deployed; mainly because of lack of a built-in supplicant for the mainstream operating systems Windows and MacOS. If you feel ClearPass is not following the standards and causing an issue, please open a TAC case.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec

    Posted Jul 31, 2024 04:26 AM

    Hello Herman,

    Thanks for the instructive video. I've opened the case number 5383777682.

    Regards,

    Mathias




  • 8.  RE: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec

    Posted Oct 01, 2024 06:33 AM
    Edited by mathias_gt Oct 01, 2024 06:38 AM

    Update: The issue has been resolved. The length of the empty EAP-Key-Name in the Access-Request coming for the switch must be >= 3.

    Working capture: