MAC addresses are easily spoofable anyway, and because there is nothing more than the MAC address, it does not even make sense to send a password (which EX apparently does by default). Most other switches send out an authentication (PAP or CHAP I believe) with both username and password set to the client's mac address.
Your RADIUS traffic should go over a more or less secured or trusted network anyway as there is no / weak encryption in the RADIUS protocol that is from the previous century, and has that time's security. You may consider RadSec to encrypt all your RADIUS traffic, but for MAC authentication I would rate that overkill in most cases.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 21, 2022 01:51 AM
From: Lawrence Brandt
Subject: Error Code 209; No password in request; MAC authentication
Hi,
Does adding PAP to the mix pose a security risk? I'm using EAP-MD5 and I get timeouts, only very occasionally, that show the mac radius restrict says there's no password, so it needs to do an EAP-MD5 challenge. This (again occasionally) times out after about 40 seconds.
If I only change the mac auth authentication to be PAP on the switch, I bypass the EAP challenge issue. I will get a trace from ClearPass to see what actual packets are being exchanged. But what do you think?
My boss worries about security. The other question is can I set a switch-wide mac auth password? It seems like the "no password" thing is actually a no password thing.
Tnx,
Ambi
------------------------------
Ambidexter
Original Message:
Sent: Oct 24, 2019 02:41 AM
From: Martin Zdrahal
Subject: Error Code 209; No password in request; MAC authentication
I have met with the same problem at Juniper switches ex2200-48p-4g. I got this error 209 with set 802.1x MAC address bypass. I experimentally found that it works if PAP protocol is set at Juniper switch.
Working Juniper switch config for 802.1x MAC address bypass:
set protocols dot1x authenticator interface ge-0/0/44.0 mac-radius restrict
set protocols dot1x authenticator interface ge-0/0/44.0 mac-radius authentication-protocol pap
It depends on the SW version of the switch as some older version does not support PAP protocol.
It is not possible to set PAP protocol:
Model: ex2200-48p-4g
JUNOS Base OS Software Suite [12.3R9.4]
It is possible to set PAP protocol:
Model: ex2200-48p-4g
Junos: 15.1R6.7
Description of this Junmiper command: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/authentication-protocol-edit-mac-radius.html