We have configured Clearpass to do both User and Machine Authentication. If the end devices are domain machines and user is successfully authenticated then it is given full access. If the end device is not a domain machine, then it is put in a VLAN which will allow it to be joined into the domain.
The problem is that the machine when connecting to network sends both mac address as well as domain\user as the username. The domain check fails when the username is mac address and the machine is put into the domain join VLAN inspite of the machine being in the domain. I get the following alert for these machines.
RADIUS | SV_PrimaryDomainController - 172.31.0.25: User not found. EAP: Client doesn't support configured EAP methods |
Since the order in which the username is passed to clearpass is random, the machines are randomly put into Domain Join VLAN. All machines send both mac address as well as domain/user as username but the order is random.
Is there a way that I can ignore the username being send as mac address and only consider the request where the username is in the format domain/username?
There are non-dot1x devices like printer in the network which are allowed access to network without the domain check.