Security

 View Only
last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

mac auth happens after successful 802.1x auth

This thread has been viewed 55 times
  • 1.  mac auth happens after successful 802.1x auth

    Posted Sep 01, 2022 09:55 AM
    We notice some of users disconnect from the network and we check the logs and found mac auth happens after successful 802.1x auth they stucked and OnGuard is not known


    Users VLAN is 25
    Voice VLAN is 13

    Switch port configuration:  (for avaya IP Phones and Laptops)
    interface 1/4
    name "User_25"
    tagged vlan 13
    untagged vlan 25
    aaa port-access authenticator
    aaa port-access authenticator client-limit 2
    aaa port-access mac-based
    aaa port-access mac-based addr-limit 2
    exit

    is there a way to not do Mac Auth for the laptops. i know because the switch port contain auth configs for both MAC & Dot1x





    ------------------------------
    BR,
    Mohanad
    ------------------------------


  • 2.  RE: mac auth happens after successful 802.1x auth

    Posted Sep 01, 2022 11:27 AM
    So is your computer supplicant configured correctly to always attempt 802.1X?  When do you see the MAC Auth attempt?  Is the device going to sleep?


  • 3.  RE: mac auth happens after successful 802.1x auth

    Posted Sep 03, 2022 10:45 AM
    Laptops configured with GPO for EAP-TLS and always attempt to authenticated, i see MAC Auth attempt before and After.

    I have 2 cases:

    Case 1: After Successful 802.1X mac auth happens and user stucked  (in the access tracker log mac auth is rejected) then working after restart the windows (not all the times) sometime same behavior after restart.

    Case 2: MAC auth happens only even the supplicant configured correctly and switch port after restart the windows 802.1X done and user is authenticated successfully

    I did some research and found similar cases and found i should
    reduce the time how long the switch wait for an 802.1x answer (default 30sec.)

    aaa port-access authenticator 1/4 supplicant-timeout 5




    ------------------------------
    BR,
    Mohanad
    ------------------------------



  • 4.  RE: mac auth happens after successful 802.1x auth

    Posted Sep 01, 2022 03:30 PM
    Is auth-order set on the switch?

    ------------------------------
    ACNSA | ACEA | ACCP | ACMP
    ------------------------------



  • 5.  RE: mac auth happens after successful 802.1x auth

    Posted Sep 03, 2022 10:47 AM
    Unfortunately my current ArubaOS is not supporting the auth-order command.

    i will try aaa port-access authenticator 1/4 supplicant-timeout 5




    ------------------------------
    BR,
    Mohanad
    ------------------------------



  • 6.  RE: mac auth happens after successful 802.1x auth

    EMPLOYEE
    Posted Sep 02, 2022 10:36 AM
    Are you using a PC behind a phone?

    What type of switch is this? Looks like ArubaOS-Switch (2930/3810/5400). In most switches (either default, or by configuration) an 802.1X authentication should take precedence over MAC authentication. It could be that when a client 'drops' 802.1X (like logging out, switching off, going in sleep), MAC authentication takes over. If 802.1X authentication succeeds for a client, the MAC authentication should be ignored (in AOS-Switch).

    What switch firmware are you running?

    What does 'show port-access clients' show for that client? Or 'show port-access clients <port number> detail'?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: mac auth happens after successful 802.1x auth

    Posted Sep 03, 2022 11:10 AM
    Yes, all PC's behind phones

    2920-24G-PoE+ Switch
    Boot ROM Version: WB.16.01

    This behavior not for all users, some of them.

    GPO is the same for all 350 users.
    Switch port config for Mac and 802.1x but i can see also different configs like the follow (applied only on 50 ports)

    aaa port-access authenticator 4/2 tx-period 10
    aaa port-access authenticator 4/2 supplicant-timeout 10


    I have another questions when Auth happens. i.e. I came to the office at the morning and plugged the cable and successfully authenticated, after 2 hours i attend to meeting room for 1 hour and came back to my desk and plugged the cable so i will re-auth right?

    so auth and re-auth happend after plug/unplug , switch port bonus, windows restart/logoff?



    ------------------------------
    BR,
    Mohanad
    ------------------------------



  • 8.  RE: mac auth happens after successful 802.1x auth

    EMPLOYEE
    Posted Sep 05, 2022 04:51 AM
    Please check the firmware version that you are running, and if that is recent. The Boot ROM version is different from the firmware version. Latest version at the moment is 16.10.0022.

    For AOS Switch, it is expected that you see both MAC and 802.1X, and if you have a successful 802.1X that should override what you see from the MAC Authentication. Authentication indeed happens when ever a port is plugged (and it is released when you unplug the cable), although when you have an IP Phone in between the link to the switch will not go down so the switch will not re-auth when you plug in again. After a switch port bounce you will have a re-authentication, and if you logout/restart Windows it will probably do a 'EAP-Logoff' which unauthenticates the 802.1X session, and may do a MAC authentication afterwards. Some phones do, or can be configured to do the EAP-Logoff 'on behalf of' for the PC if you unplug the secondary port of the phone. If phone and PC are on separate ports, that is not an issue of course.

    I would recommend checking the Wired Policy Enforcement (Solution Guide) , which is available from the documentation portal, for the right configuration of your switch and ClearPass.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: mac auth happens after successful 802.1x auth

    Posted Sep 07, 2022 10:54 AM
    Thank you for reply.

    As per CPPM support "

    From ClearPass perspective, it won't override anything. It will just process the request it received from the switch and send the radius response based on the service configuration. Then the override or priority assignment is depends on the switch side configuration and switch behavior."

    I can confirm after successful 802.1x auth i can see rejected mac-auth, but the user is working successfully.


    After days of investigation of auth issue :( , we are using EAP-TLS for machine auth and certain users having issue when they come to the office at the morning they must restart their pc in order to send auth request. and if they go to Sleep/Hibernation the same issue happened only solved by restart the pc.

    I found  similar cases

    When systems resume from sleep; they do not attempt machine authentication; only user authentication.  This is by design on Windows

    Machine Authentication after resuming from Sleep/Hibernation | Security (arubanetworks.com)

    How to change the machine-authentication timeout | Security (arubanetworks.com)

    Machine Authentication after Windows Hibernation | Security (arubanetworks.com)

    is there is solution from clearpass side to solve this issue?  combine user auth + machine auth to overcome this issue?



    ------------------------------
    BR,
    Mohanad
    ------------------------------



  • 10.  RE: mac auth happens after successful 802.1x auth

    EMPLOYEE
    Posted Sep 07, 2022 08:38 PM
    well its up to you to increase the timeout value from the default of 24 hours.
    Also note what Colin mentioned in one of your links

    The default time is typically sufficient. If a machine has successfully machine authenticated, every time the user authenticates after that, the machine cache is reset. Let me repeat: When a machine authenticates successfully, a countdown timer is started. When a user authenticates after a machine has authenticated successfully, the machine authenticated timeout is reset. So, the timer does not have to reflect how often the computer is rebooted, since every time a user authenticates successfully AFTER a machine successfully authenticates, the machine cache is reset.

    You can think of the timer as "If a user does not touch the laptop for X minutes", they will have to reboot it so that it can successfully machine authenticate. There are some users who use their laptops frequently and it is not a problem. There are some users who leave their laptops for days and it also won't be a problem.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 11.  RE: mac auth happens after successful 802.1x auth

    Posted Sep 10, 2022 03:11 PM
    Thank you so much ariyap for your reply, this value of "machine authentication cache timeout" communicate to the switch to be aware and does not wait or expect re-auth from the client?

    i found and applied this command on the switch "aaa port-access authenticator 1/6 cached-reauth-period 86400" and solved sleep issue, but i'm still troubleshooting when they come to the office at morning their laptops not sending auth request until they restarted it.

    ------------------------------
    BR,
    Mohanad
    ------------------------------



  • 12.  RE: mac auth happens after successful 802.1x auth

    EMPLOYEE
    Posted Sep 10, 2022 08:17 PM
    no the "machine authentication cache timeout" is for ClearPass to cache it and nothing to do with this value being sent to the NAD (switch/AP/gateways)

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------