Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

EAP-TEAP Wired User

This thread has been viewed 57 times
  • 1.  EAP-TEAP Wired User

    Posted May 16, 2024 10:00 AM

    Hello Guys,

    I have configured Teap successfully on wireless. Thank you everyone for their input. I am facing a new problem on the wire side. 

    At my company we use docking station to plug in our ethernet cable and the docking station as a different MAC address than the wireless one. Every time I tried a new dock,

    Clearpass associated the host name to the dock Mac-address but it come up as unknown in the endpoint. 

    Unless, I make that Mac-address know, Clearness would always reject the computer on the TEAP config. Should I configure the teap differently because it is impossible to note

    every docking station mac-address.

    Any help would be appreciated.

    Thanks



  • 2.  RE: EAP-TEAP Wired User

    EMPLOYEE
    Posted May 16, 2024 10:19 AM

    I'm confused as to what you are doing.  Known vs Unknown is used by MAC auth and the endpoint database cleanup criteria.  The setting shouldn't have any impact for TEAP since you're using credentials with TLS or PEAP.  After you've successfully authenticated the device use an endpoint action to automatically mark the endpoint as known if that is what you need to do.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: EAP-TEAP Wired User

    Posted May 16, 2024 01:36 PM

    Hello @chulcher

    The problem is that the device is not authenticated properly as the dock has a different ethernet Mac address. That is conflicting with the existed one on Intune. 

    I am going to work on the machine auth then since that is my only roadblock as of right now. 




  • 4.  RE: EAP-TEAP Wired User

    EMPLOYEE
    Posted May 16, 2024 02:55 PM

    Are you attempting to do a lookup through the Intune extension based on the client's MAC address?  If so, you are correct, that's not going to work when you add docking stations to the mix.  You need to move towards using the device ID assigned by Intune and that gets embedded within the certificate used by the device for authentication.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: EAP-TEAP Wired User

    Posted May 17, 2024 05:42 AM

    Hi

    Can you share the configuration of your role mapping and enforcement policies? Do you have any condition in the policies that evaluates if the status is Known?

    As Carson mentioned, the status should only have impact in some use cases with MAC authentication, like guest MAC caching.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 6.  RE: EAP-TEAP Wired User

    Posted May 17, 2024 09:39 AM

    Hello @jonas.hammarback

    Maybe that is a good idea. I could put a place a polices that evaluate when a device a marked unknown. I will look at that option. 

    Here are my enforcement and roles screenshots.

     

    I already have devices sync from Intune. But when I pug into the dock, it gets a different Mac address from the dock ethernet card. So Clearness think it is a new device and does not know how to classify it.

    You can see from the screenshot that second one is known and the first one is from the docking station. 

    Thanks




  • 7.  RE: EAP-TEAP Wired User

    EMPLOYEE
    Posted May 17, 2024 10:41 AM

    Is there something in the role mapping policy that is evaluating the endpoint status?  I see nothing in the enforcement policy.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 8.  RE: EAP-TEAP Wired User

    Posted May 17, 2024 10:59 AM

    Hey @chulcher

    I am in the role mapping policy that is evaluating the endpoint status. In the wired_teap_testing group, I am only putting the device name ocisse-dx15. 

    I have tested another policy. Here is the screenshots.

    In that case, only the machine should be authenticated. But Clearness is still rejecting me. Maybe I should find a way to auth all endpoints that has a hostname that I can find in intune. 




  • 9.  RE: EAP-TEAP Wired User