Security

 View Only
last person joined: 14 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

EAP-TEAP Wired User

This thread has been viewed 59 times
  • 1.  EAP-TEAP Wired User

    Posted May 16, 2024 10:00 AM

    Hello Guys,

    I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

    At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

    Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

    Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

    every docking station mac-address.

    Any help would be appreciated.

    Thanks



  • 2.  RE: EAP-TEAP Wired User

    EMPLOYEE
    Posted May 16, 2024 10:19 AM

    I'm confused as to what you are doing.  Known vs Unknown is used by MAC auth and the endpoint database cleanup criteria.  The setting shouldn't have any impact for TEAP since you're using credentials with TLS or PEAP.  After you've successfully authenticated the device use an endpoint action to automatically mark the endpoint as known if that is what you need to do.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: EAP-TEAP Wired User

    Posted May 16, 2024 01:36 PM

    Hello @chulcher

    The problem is that the device is not authenticated properly as the dock has a different ethernet Mac address. That is conflicting with the existed one on Intune. 

    I am going to work on the machine auth then since that is my only roadblock as of right now. 




  • 4.  RE: EAP-TEAP Wired User

    EMPLOYEE
    Posted May 16, 2024 02:55 PM

    Are you attempting to do a lookup through the Intune extension based on the client's MAC address?  If so, you are correct, that's not going to work when you add docking stations to the mix.  You need to move towards using the device ID assigned by Intune and that gets embedded within the certificate used by the device for authentication.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: EAP-TEAP Wired User

    Posted May 17, 2024 05:42 AM

    Hi

    Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

    As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 6.  RE: EAP-TEAP Wired User

    Posted May 17, 2024 09:39 AM

    Hello @jonas.hammarback

    Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

    Here are my enforcement and roles screenshots.

     

    I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

    You can see from the screenshot that second one is known and the first one is from the docking station. 

    Thanks




  • 7.  RE: EAP-TEAP Wired User

    EMPLOYEE
    Posted May 17, 2024 10:41 AM

    Is there something in the role mapping policy that is evaluating the endpoint status?  I see nothing in the enforcement policy.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 8.  RE: EAP-TEAP Wired User

    Posted May 17, 2024 10:59 AM

    Hey @chulcher

    I am in the role mapping policy that is evaluating the endpoint status. In the wired_teap_testing group, I am only putting the device name ocisse-dx15. 

    I have tested another policy. Here is the screenshots.

    In that case, only the machine should be authenticated. But Clearness is still rejecting me. Maybe I should find a way to auth all endpoints that has a hostname that I can find in intune. 




  • 9.  RE: EAP-TEAP Wired User

    EMPLOYEE
    Posted May 17, 2024 11:24 AM

    Not seeing anything that would make Known vs Unknown cause problems.  But if you are failing the session based on the device not being found in Intune, that could be the issue.

    When the Intune extension was originally deployed we did a search based on the MAC address, which eventually wasn't good enough because of the reasons that you are running in to, the usage of temporary network connections or randomized MAC addresses.  The new versions of the extension should be doing the lookup of the device based on information from the certificate that is used as the 802.1X credentials.

    Make sure you are using the latest version of the extension and have updated your policies to follow the new requirements.

    https://arubanetworks.com/clearpassdocs

    ClearPass - Microsoft Intune Technote



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 10.  RE: EAP-TEAP Wired User

    Posted May 17, 2024 11:54 AM

    Thanks @chulcher,

    I am going to update the policy and implement your solutions. I will let you know my findings.

    Thanks




  • 11.  RE: EAP-TEAP Wired User

    Posted May 19, 2024 06:15 AM

    Hi

    From the screenshots of your policies I can't see anything related to the MAC addressen and they look OK as far as I can see.

    One thing that came to my mind, if you check the Access Tracker for both the computer MAC address and the docking station MAC address, can you verify that the devices only hit the 802.1x service?

    In the 802.1x sevrice, what authentication methods do you allow? EAP-TEAP should be the only authentication method in the service with your current role mapping and enforcement policies.

    On the switch side, do you have a configuration performing MAC auth before the the 802.1x? In this case the docking station will first get a MAC authentication, probably with profiling, Slightly later the client will perform the 802.1x authentication, maybe this situation could cause issues. But it depends on how the switch prioritize between MAC authentication and 802.1x.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 12.  RE: EAP-TEAP Wired User

    Posted May 20, 2024 01:45 PM

    Thanks @jonas.hammarback for your feedback. 

    I have partially made it work. I have disabled auth requirement since every user is going to be on site.  

    Now, my enforcement profiles are not working properly. Clearness is rejected me even though, I am machine auth. I am not sure why for now. 

    I want to rely on enforcements for the rest of the configurations.