I am setting up a wired 802.1X authentication scheme with ClearPass and H3C switches. My policy says:
Point 1 works perfectly. For point 2, when I plug in a PC which is not in the corporate domain, I have a timeout response, I don't know why:
And got the quarantine VLAN 50 (because of the Default Profile in Enforcement tab):
According to me, the behaviour should be to get the quarantine VLAN 50 with a Reject response, instead a Timeout response.
Julian, good afternoon.
Can you share the clear pass interface settings and policy settings?
Would you like to check the settings on your switch interface and whether you use roles and enforcement in ClearPass? As your business rule is to only authenticate devices that are in the domain, you need a rule to validate these criteria and if it doesn't pass, send a quarantine vlan. This configuration is done on the switch interface, ClearPass, and the end device.
By your description I assume that the authentication method is EAP-PEAP and the machine that is not a domain machine tries to perform an authentication with the user credentials in Active Directory.
One problem, beside the fact that EAP-PEAP is an old protocol with flaws, is that the client side configuration can be a callange and if the client doesn't have correct 802.1x configuration it will not accept the Radius certificate from ClearPass and the request will time out. Another issue can of course be that the client doesn't have 802.1x configured at all, and in that case you need to provide a MAC authentication service to handle the authentication for unknown machines and send back the quarantine VLAN, or configure the VLAN in the switch as a VLAN that the unauthenticated client is placed on.
Hi dncastro and Jonas,
Yes, the authentication method is EAP-PEAP, but the machine is only configured for "computer authentication", and not "user authentication", so if the machine is not a domain machine should be place directly in the quarantine VLAN, no authentication with AD user credentials.
The client side 802.1X configuration is ok, also de Radius certificate from ClearPass, because when is a domain machine it authenticates correctly, and is assigned the correct VLAN.
I attach the switch interface settings and ClearPass policy. The switch has also mac-authentication commands, because I am also authenticating phones and printers (VLAN 21), service which works correctly as well:
interface GigabitEthernet1/0/3 port link-type hybrid port hybrid vlan 21 tagged port hybrid vlan 1 50 55 untagged mac-vlan enable poe enable dot1x undo dot1x handshake dot1x mandatory-domain dot1x-auth undo dot1x multicast-trigger dot1x unicast-trigger mac-authentication mac-authentication domain mac-auth mac-authentication timer auth-delay 15 mac-authentication parallel-with-dot1x
I have tried also adding the "dot1x auth-fail vlan 50" command, but with the same result.
Default profile (quarantine VLAN)
I repeat, when the client is a domain machine, it authenticates correctly and is assigned the correct VLAN (VLAN 1 untagged), no timeout errors at all. Also the phones authenticate correctly by MAC authentication, and get assigned VLAN 21 tagged. Any tip?
For computers not joined to the AD you should focus on a MAC authentication instead. Otherwise the client configuration on these unmanaged computers will be a big challange for the end users.
Modify your MAC Auth service to place unknown devices on VLAN 50.
In the 802.1x remove the rules for non domain joined machines and deny access instead.
This way a computer with 802.1x enabled but not configured with the domain GPO will get a reject, without delay, and then continue with a MAC auth instead.You will see the rejected 802.1x request in Access tracker but