View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

MAC-Auth issue, possibly timeout, with Cisco Switch and CPPM - Config Guidance Request

This thread has been viewed 16 times
  • 1.  MAC-Auth issue, possibly timeout, with Cisco Switch and CPPM - Config Guidance Request

    Posted May 31, 2023 11:28 AM

    I recently set up Mac Authentication in Clearpass with our Cisco switches for a couple of devices.  One of the devices I so far haven't had any issues with, the other however, went a little sideways.

    My config on the switch I basically took the same config I'd use for my dot1x certificate authenticated devices but instead since I knew these ports were only mac auth, I reversed the order and put "mab" before dot1x.  So my config looks like this on the switch side:

     switchport mode access
     switchport access vlan 505
     authentication host-mode multi-auth
     authentication order mab dot1x
     authentication priority mab dot1x
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     dot1x pae authenticator
     dot1x timeout server-timeout 30
     dot1x timeout tx-period 10
     dot1x timeout supp-timeout 30
     dot1x max-req 3
     dot1x max-reauth-req 10
     spanning-tree portfast

    If something is wrong, I'd like to hear it because I am definitely new to setting this up.

    The profile I applied to the port upon authentication contains this:

    Radius:IETF    Session-Timeout        =    259200
    Radius:IETF    Termination-Action    =    RADIUS-Request (1)
    Radius:IETF    Tunnel-Type        =    VLAN (13)
    Radius:IETF    Tunnel-Medium-Type    =    IEEE-802 (6)
    Radius:IETF    Tunnel-Private-Group-ID    =    505

    We have a mix of APC and Tripp-lite UPS systems, and so even though I know I can use certs on the APCs, I wanted to at least use these as practice for mac-auth for a while, and that way the config could be consistent until I have time to see if both can use certs.

    The issue I faced was, I had an issue with a UPS, so I decided to try to do a firmware update.  Part of the firmware update required me to enable ftp temporarily, which forces a reboot of the management card.   When I rebooted the card, the device did not come back on the network.   I spent a bunch of time trying to figure out what went wrong, and proceeded to try the same things on a few other UPSs.  These had all be set up to use NAC a week or so prior.   After a while I had 6 devices that would not come back online.  I would have thought with a reboot the port would re-auth and everything would be fine.   The cards have static IPs BTW.   With that in mind, it's possible that since it does not use DHCP, that it would not generate any traffic on reboot, at least until the NTP update would happen, although I'd think it would send a syslog message after a reboot.  My thoughts are that with it not making traffic it may not try to authenticate.

    At any rate, what could I have done wrong with the above config?

    I'm now, after reading some forum posts, considering on the switch side doing:

    no authentication periodic    -  Which should disable periodic authentication.

    Or, in my profile, eliminating the line: 
    Radius:IETF    Session-Timeout        =    259200

    I'm not sure if it'll still work, with no session-timeout, but the command on the switch "authentication time reauthenticate server" tells the switch to use the timeout from clearpass.  Maybe if I pass it no timeout it will just keep the port alive.   I know security is a little less with no reauthentication but my thought is that in general, if the
    device is ever unplugged, the port will drop and then any authentication would be invalid anyway, so for a UPS that is up 24x7x365 it may help keep these reliable.

    Am I over-thinking it, or did I miss something that I should have done?   I originally gave it a long timeout to ensure it would stay accessible, but did that only contribute to the problem?

    I thought it would be good to post the Cisco config here too, because that info, while available, has many documents with a variety of versions of settings, so discussing it here could benefit others in the future.

  • 2.  RE: MAC-Auth issue, possibly timeout, with Cisco Switch and CPPM - Config Guidance Request

    Posted Jun 27, 2023 08:09 AM

    Two things. First I see 'authentication priority mab dot1x' which may not make too much sense as in case there is both 802.1X and MAC Auth, the MAC Auth attributes will take preference and 802.1X is basically ignored. In most cases you would prioritize the 802.1X, but if there is only MAC Auth... it does not really matter of course, but you would probably better disable 802.1X on the port.

    Then, yes there are devices that don't send any data when connected, and UPS sounds like a device that could behave like that. It would be good to do a packet capture/port mirror to see if that is indeed the case. Configuring something that triggers traffic, like DHCP (with static assignment, or static IP fallback), syslog, NTP is a common workaround. Capture the traffic to find out if that really is the case. For authenticated devices, a long idle timer/reauth or disabled reauth may be considered as a workaround, but if the device does not send traffic if the link goes up, it may be harded to handle that properly. You may use an unauthenticated VLAN on some switches, and send wake-on-lan or ping via that VLAN to trigger client-side traffic.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.