I'll try to explain a few basic things.
The problem you are experiencing is called radius authentication with cascaded switch.
You have a switch with port authentication enabled, to this switch you need to connect another switch that also does authentication. The problem has nothing directly to do with clearpass and would happen with any other authentication server.
The ports over which the interswitch link is established require special configuration.
scenario 1
Authentication is disabled on the downlink port in the mainswitch.
Authentication is deactivated on the uplink port in the second switch.
scenario 2
At the downlink port in the mainswitch autentification is activated, the port does dot1x autentification and is in port-based mode.
Suplicant is enabled on the uplink port in the second switch.
scenario 3
At the downlink port in the mainswitch autentification is enabled, the port does mac-address autentification and is in port-based mode.
At the uplink port in the second switch, autentification is deactivated.
Port-based mode is important and means that the first authentication-request open the port, all authentication-requests arriving at this port after that are allowed through without authentication. This avoids double authentication on the access port of the second switch and on the downlink port in the mainswitch. This is not a security problem because the clients have already authenticated themselves on the second switch.
You just have to make sure that the second-switch always logs in first. It works easy if you configure the uplink as suplicant. As soon as the uplink goes up, the sitch snds the configured username and password. With mac-auth you can happen that an auth-request from the endpoint arrives first at the main-switch. Then everything becomes a matter of luck.
The uplink port in the second-switch must be configured accordingly. It may then only be connected via this port.
The question is, how do you reconfigure the currently used downlink port in the mainswitch to port-based-based mode? You additionally have to reconfigure the previously used port back to user-based mode. You can do this manually, but it is not very practical.
You can switch authentication mode to port-based mode with a VSA, this would only apply for the session duration, just like VLAN tagging. You can disable the unused authentication protocol by setting the client limit for this type to 0. As soon as the port goes down, it will fall back to the configured authentication mode.
You don't have to send this VSA on every authentication, but only when the second-switch authenticates.
So in your use-case you have to do the following:
As you describe your use-case, scenario 1 is out of the question, you have to decide between scenario 2 and 3, depending on whether the main switch uses dot1.x, mac-auth or dot1.x with fallback to mac-auth. That means you configure the supplicant on the uplink in the second-switch at dot1.x and use any user that can authenticate against an auth-src in ClearPass. Or you do mac-auth and use the mac-address from the second-switch. For the switch authentication you have to create an appropriate enforcement profile in which you set the auth-mode to port-based mode and disable unused authentication.
For example, this profile sets the port-mode for dot1.x authentication to port-based and disables mac-auth.
If you tag VLANs dynamically you can use it in this profile as well. VLAN tagging is not directly related to authentication. You can enable port authentication and statically tag VLANs on all ports. But dynamic tagging makes your life easier.
Good luck
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACA - Network Security
------------------------------
Original Message:
Sent: Jan 20, 2023 01:24 PM
From: milesv
Subject: Enabling Clearpass on an Uplink Port
Hi Lord,
Thank you for your reply. I am a bit of a clearpass noob and I am trying to enable the supplicant port on my 2530 switch. I entered the following command (aaa port-access supplicant 26). Do I also need to specify a username and password for the radius server in order for this authentication to work properly? Currently in clearpass I see the request using a MAC-AUTH authentication method referring to an endpoint repository.
Also, for the enforcement, do I need to create a new enforcement policy then and configure with VLAN tagging and switch the authentication for the 2930F to port mode?
Original Message:
Sent: Jan 20, 2023 12:15 PM
From: lord
Subject: Enabling Clearpass on an Uplink Port
Hi milesv,
you have to enable suplicant on the uplinkport of the 2530 switch ("aaa port-access supplicant" ...). The 2530 will then perform EAP-MD5 authentication on the port of the Aruba 2930F - provided that authenticator is enabled on this port of the 2930F. In the CPPM you can recognize this authentication attempt by the credentials used. You have to create the corresponding enforcement with VLAN tagging for this authentication. In the same enforcement you have to switch the authentication from Aruba 2930F to port mode.
This should solve your problem.
If you don't enable port mode, all endpoints from switch 2530 will have to authenticate 2 times. The first time on the access port of the switch 2530 and the second time on the port Aruba 2930F.
Original Message:
Sent: Jan 19, 2023 04:49 PM
From: milesv
Subject: Enabling Clearpass on an Uplink Port
I have a strange predicament that I can't find any information about online. I'd like to enable ClearPass on an uplink port from my main switch to my second switch. The second switch will also be running clearpass to authenticate any devices plugged in. The reason I'd like to accomplish this is because the second switch will be moving around and could be plugged into any ethernet port with clearpass enabled.
When I tested this and enabled clearpass on the uplink port, I noticed that clearpass on the second switch did not work properly. Clearpass would send the second switch the correct vlan to assign to a device, but the second switch would not change the vlan for that specified port. So, the device is being authenticated successfully, but switch 2 will not change the vlan once Clearpass tells it to.
Does anybody have any experience with this at all or could provide some additional information to help me out?