Security

 View Only
last person joined: 7 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Timeout when setting a quarantine VLAN

This thread has been viewed 48 times

  • 1.  Timeout when setting a quarantine VLAN

    Posted Sep 27, 2023 10:25 AM

    Hi community,

    I am setting up a wired 802.1X authentication scheme with ClearPass and H3C switches. My policy says:

    1. If the machine is in the corporate domain (machine authenticated), it gets assigned VLAN 1 untagged and have network access.
    2. If the machine is not in the corporate domain, it gets assigned the quarantine VLAN 50 and doesn't have network access.

    Point 1 works perfectly. For point 2, when I plug in a PC which is not in the corporate domain, I have a timeout response, I don't know why:

    And got the quarantine VLAN 50 (because of the Default Profile in Enforcement tab):

    According to me, the behaviour should be to get the quarantine VLAN 50 with a Reject response, instead a Timeout response.

    Any ideas?



    ------------------------------
    Regards,
    Julian
    ------------------------------


  • 2.  RE: Timeout when setting a quarantine VLAN

    Posted Sep 27, 2023 12:16 PM

    Julian, good afternoon.

    Can you share the clear pass interface settings and policy settings?


    Original Message


  • 3.  RE: Timeout when setting a quarantine VLAN

    Posted Sep 27, 2023 03:25 PM
    Good evening,

    Do you mean ClearPass interface settings or switch interface settings?


    Original Message


  • 4.  RE: Timeout when setting a quarantine VLAN

    Posted Sep 27, 2023 04:43 PM 
    Hi Julian


Would you like to check the settings on your switch interface and whether you use roles and enforcement in ClearPass? As your business rule is to only authenticate devices that are in the domain, you need a rule to validate these criteria and if it doesn't pass, send a quarantine vlan. This configuration is done on the switch interface, ClearPass, and the end device.

    Original Message


  • 5.  RE: Timeout when setting a quarantine VLAN

    Posted Sep 27, 2023 04:17 PM

    Hi Julian

    By your description I assume that the authentication method is EAP-PEAP and the machine that is not a domain machine tries to perform an authentication with the user credentials in Active Directory.

    One problem, beside the fact that EAP-PEAP is an old protocol with flaws, is that the client side configuration can be a callange and if the client doesn't have correct 802.1x configuration it will not accept the Radius certificate from ClearPass and the request will time out. Another issue can of course be that the client doesn't have 802.1x configured at all, and in that case you need to provide a MAC authentication service to handle the authentication for unknown machines and send back the quarantine VLAN, or configure the VLAN in the switch as a VLAN that the unauthenticated client is placed on.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 6.  RE: Timeout when setting a quarantine VLAN

    Posted Sep 28, 2023 02:26 AM

    Hi dncastro and Jonas,

    Yes, the authentication method is EAP-PEAP, but the machine is only configured for "computer authentication", and not "user authentication", so if the machine is not a domain machine should be place directly in the quarantine VLAN, no authentication with AD user credentials.

    The client side 802.1X configuration is ok, also de Radius certificate from ClearPass, because when is a domain machine it authenticates correctly, and is assigned the correct VLAN.

    I attach the switch interface settings and ClearPass policy. The switch has also mac-authentication commands, because I am also authenticating phones and printers (VLAN 21), service which works correctly as well:

    SWITCH INTERFACE

    interface GigabitEthernet1/0/3
     port link-type hybrid
     port hybrid vlan 21 tagged
     port hybrid vlan 1 50 55 untagged
     mac-vlan enable
     poe enable
     dot1x
     undo dot1x handshake
     dot1x mandatory-domain dot1x-auth
     undo dot1x multicast-trigger
     dot1x unicast-trigger
     mac-authentication
     mac-authentication domain mac-auth
     mac-authentication timer auth-delay 15
     mac-authentication parallel-with-dot1x

    #

    I have tried also adding the "dot1x auth-fail vlan 50" command, but with the same result.

    CLEARPASS

    Roles Tab

    Enforcement Tab

    Default profile (quarantine VLAN)

    I repeat, when the client is a domain machine, it authenticates correctly and is assigned the correct VLAN (VLAN 1 untagged), no timeout errors at all. Also the phones authenticate correctly by MAC authentication, and get assigned VLAN 21 tagged. Any tip?



    ------------------------------
    Regards,
    Julian
    ------------------------------

    Original Message


  • 7.  RE: Timeout when setting a quarantine VLAN

    Posted Sep 28, 2023 02:51 AM

    Hi Julian

    For computers not joined to the AD you should focus on a MAC authentication instead. Otherwise the client configuration on these unmanaged computers will be a big challange for the end users.

    Modify your MAC Auth service to place unknown devices on VLAN 50.

    In the 802.1x remove the rules for non domain joined machines and deny access instead. 

    This way a computer with 802.1x enabled but not configured with the domain GPO will get a reject, without delay, and then continue with a MAC auth instead.
    You will see the rejected 802.1x request in Access tracker but