Security

Reply
Frequent Contributor I

802.1x and profiling port 2920 and Clearpass

Hi!

 

I´m setting up 802.1x for employees and mac-auth for profiling and guestaccess on wired ports on a aruba 2920 switch with clearpass.

Been using "Wired Policy Enforcement solution guide", excelent guide btw.

 

I´ve setup a service for mac auth (allow all mac) and a service for 802.1x.

It´s working fine in practice from what I can see in my lab right now.But I´m a bit worried since I´m seeing some mac-auths hitting the mac-auth service alongside the 802.1x service at almost the same time for my 802.1x configured client.

 

I´ve tried changing quiet-period for mac auth on the port, but makes no difference.

 

Is this normal ? It doesnt seem to affect the client, it stays on the employee network all the time. mac-auth does send out captiveportal for the client since it doesnt fit any guestroles in the mac service, but the correct 802.1x vlan seems to stay the same on the switch regardless. But I want to be sure before going forwards with deployment.

 

oh, and I´m not using user-roles right now, Im using dynamically assigned vlans (via radius responses).


ACMP | ACCP
Frequent Contributor I

Re: 802.1x and profiling port 2920 and Clearpass

Bump.

 

Anyone know if this is expected behavior ?

As I said for every client auth time I get both mac and 802.1x roughly at the same time:

 

8021port.PNG

 

Just want to make sure it is the way it´s supposed to work in this case.


ACMP | ACCP
Guru Elite

Re: 802.1x and profiling port 2920 and Clearpass

Yes, that is the switch behavior at this time.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: 802.1x and profiling port 2920 and Clearpass

ok, thank you for the clarification. So I assume this wont affect the client because 802.1x auth always has higher priority on the switch than mac?

So the only downside is a bit of more traffic.


ACMP | ACCP
Guru Elite

Re: 802.1x and profiling port 2920 and Clearpass

Correct

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: 802.1x and profiling port 2920 and Clearpass

ok, thank you so much for the answers.


ACMP | ACCP
Frequent Contributor I

Re: 802.1x and profiling port 2920 and Clearpass

I´ve got a question on this. I wonder if Aruba/HPE are planning to introduce something similar to the authentication order/authentication priority cisco commands

 

Regards,

Kevin

Guru Elite

Re: 802.1x and profiling port 2920 and Clearpass

Please speak with your Aruba account team. Roadmap cannot be discussed in a public forum.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: 802.1x and profiling port 2920 and Clearpass

Will do. Thanks!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: