Higher Education

How do you configure an SSID with both MAC auth and 802.1x against the same clearpass service?

 

Currently i have 2 SSID.

 

1NSU (802.1X  against AD)

NSU (Mac auth for non-802.1x devices)

 

Before winter Term I was planning to try to Merge the MAC auth into 1NSU so in campus we only have 1 SSID for those devices beside Guest.

 

1. Do you try to do Mac Auth first then if it fail then do 802.1x auth?

 

So wireless printer will connect to the 1NSU do Mac Auth obtain the role Printer. Then A student will connect to 1NSU Fail Mac auth then do 802.1x auth and obtain the role NSUStudents.

 

Would it make sense? Or is better to keep it separate as i have now for easy of troubleshooting and management?

 

Thank you

Nils.

 

 

 

This is not possible due to dynamic encryption protocols.

 

You would need two SSIDs. MAC-address can only be used as an authorization source for 802.1X.

 

It is common to have a multi-purpose guest, help/onboard, "dumb" device SSID along with your 802.1X SSID.

Thank you Cappalli!

 

It make sense..The right way will be to do l2 auth (mac) with l3 (captive portal) same ssid.

Right that's the most common. Your users can pre-register their "dumb"
devices so they pass MAC-auth and the fail-through would be a splash page
with instructions and/or guest registration.

We use the "dumb" SSID with a captive portal to 

1. Onboard PEAP-MSCHAPv2 to 802.1X SSID

or

2. Register "dumb" device for mac auth

 The SSID also does mac auth for reghistered devices.

Just spitballing here, but is there any product/configuration that would allow you to integrate those MAC addresses into the same database that your .1X devices authenticate off of?  Whereas .1X is used primarily via cert/credentials, a pre-registered device could match against an AD object associated with it, say.  

 

Not sure if it's possible, but the thought occurred to me.

If the MAC address is referenced in AD or other external sources, sure! 


Thanks, 
Tim

I am new to ClearPass, so I am still feeling my way around the product. I am wondering why a rule couldn't be added to the enforcement policy to look at the mac address and then push the action to allow access if it is a match. If you have a lot of devices this would be ideal. For example the rule below:

Conditions
(Connection:Client-Mac-Address-Colon EQUALS xx:xx:xx:xx:xx:xx)

Actions
[Allow Access]

Thanks,

Darin T. Williams
Network Engineer
University of Nebraska Computing Services
225 Nebraska Hall
Lincoln, Nebraska 68588-0521
email: dtwilliams@nebraska.edu
phone: 402.472.5884 cell:402.570.8293

From: Community Mailer >
Date: Thursday, September 17, 2015 at 8:02 AM
To: Darin >
Subject: Re: SSID with Both MAC auth and 802.1x in ClearPass (Airheads Community Subscription Update)


Hi darin-williams,

pmauretti (New Member) posted a new Reply in Higher Education on 09-17-2015 06:02 AM :

Browsing from your phone? Don't forget to download the Airheads Community App?
________________________________

Re: SSID with Both MAC auth and 802.1x in ClearPass

Just spitballing here, but is there any product/configuration that would allow you to integrate those MAC addresses into the same database that your .1X devices authenticate off of? Whereas .1X is used primarily via cert/credentials, a pre-registered device could match against an AD object associated with it, say.



Not sure if it's possible, but the thought occurred to me.

Reply | Give Kudos

________________________________

Airheads Community sent this message to dtwilliams@nebraska.edu.
You are receiving this email because a new message matches your subscription to a board.

To control which emails we send you please go to, manage your subscription & notification settings or unsubscribe.

---

@darin-williams wrote:
I am new to ClearPass, so I am still feeling my way around the product. I am wondering why a rule couldn't be added to the enforcement policy to look at the mac address and then push the action to allow access if it is a match. If you have a lot of devices this would be ideal. For example the rule below:

Conditions
(Connection:Client-Mac-Address-Colon EQUALS xx:xx:xx:xx:xx:xx)

Actions
[Allow Access]

Thanks,

Darin T. Williams
Network Engineer
University of Nebraska Computing Services
225 Nebraska Hall
Lincoln, Nebraska 68588-0521
email: dtwilliams@nebraska.edu
phone: 402.472.5884 cell:402.570.8293

From: Community Mailer >
Date: Thursday, September 17, 2015 at 8:02 AM
To: Darin >
Subject: Re: SSID with Both MAC auth and 802.1x in ClearPass (Airheads Community Subscription Update)


Hi darin-williams,

pmauretti (New Member) posted a new Reply in Higher Education on 09-17-2015 06:02 AM :

Browsing from your phone? Don't forget to download the Airheads Community App?
________________________________

Re: SSID with Both MAC auth and 802.1x in ClearPass

Just spitballing here, but is there any product/configuration that would allow you to integrate those MAC addresses into the same database that your .1X devices authenticate off of? Whereas .1X is used primarily via cert/credentials, a pre-registered device could match against an AD object associated with it, say.



Not sure if it's possible, but the thought occurred to me.

---

We are doing that with the registered mac addresses marked as Known and tagged with Username, etc. in the Endpoints database built in to ClearPass Policy Manager.