Security

 View Only
last person joined: 9 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Errors on Radius request on Mac-Authentication

This thread has been viewed 14 times
  • 1.  Errors on Radius request on Mac-Authentication

    Posted Sep 04, 2024 11:26 AM

    hello, I configured Aruba ClearPass on two 2560 poe model switches  but mac-authentication does not work.(other switch work correctly)

     I noticed that the radius request that comes to me from the switch has the Service-Type attribute 2 (framed-user) instead of 10, which is call-check like all the other switches, and so it try to connect used Wired - EAP-TLS Certificate Authentication  instead of Wired - Mac Authentication.

    how can i change the radius request service type attribue for MC auth request?



  • 2.  RE: Errors on Radius request on Mac-Authentication

    EMPLOYEE
    Posted Sep 04, 2024 06:55 PM

    In your service categorization for the MAC auth you can add Framed-User as a Service-Type and use:

    Then in the 802.1X service use:

    Typical starting point for service categorization of MAC auth on wired, agreed the Framed-User is odd:

    802.1X service:



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Errors on Radius request on Mac-Authentication

    Posted Sep 05, 2024 02:33 AM

    Hi Carson, 

    thanks to reply, my clearpass configuration are like the one you reported:

    MAC:

     in 802.1X service i not have client-mac-address NOT_EQUALS, i have only nas port type and service-type radius:IETF

    MAC, are on top of 802.1x ...... at the moment i have Add service type framed-user also at MAC-auth, in this case work correctly.
    When a PC arrives with the certificate it is not in the approved Mac database and therefore fails and switches to the 802.1x service that authorize!

    For Information:

    The switch that have this problem are a J8165A and have the latest update H.10.119




  • 4.  RE: Errors on Radius request on Mac-Authentication

    EMPLOYEE
    Posted Sep 05, 2024 11:05 AM

    Yeah, that switch is ancient and pre-dates the feature convergence in AOS-S.  Don't expect any kind of feature equivalence with more current switches.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: Errors on Radius request on Mac-Authentication

    EMPLOYEE
    Posted Sep 04, 2024 06:59 PM

    Also, you don't mention what version of software the switch is running, and an example of your configuration would be useful.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------