Security

Reply
Highlighted
Occasional Contributor II

Always MAC authentication before 802.1X authentication in Clearpass

Hello

 

I am using a 2930 aruba switch and i enabled mac-auth and 802.1x authentication on all the edge ports. i need both methods for laptops/phones/printers,...

I configured a laptop to use 802.1x authentication and connected it on a port in the switch.

 

In clearpass i can see that the 802.1x auth was succesfull, so no problems there, but it always tries to do mac-authentication aswell, even when the 802.1X auth was succesfull?

Is this normal behavior?

 

So technically if i would make a service for mac-auth and that same laptop would match that service too, it can overrule my 802.1x service?

 

So my question is, should i add somthing in the switch config or clearpass config to allow only 1 authentication when 1 was already succesfull? 

 

Thanks

Guru Elite

Re: Always MAC authentication before 802.1X authentication in Clearpass

Before I attempt to answer, have you seen the ClearPass Wired Policy Enforcement Guide here?  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=28803

 

It explains "Colorless Ports", where you do multiple authentications on a single port and how to process them.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Always MAC authentication before 802.1X authentication in Clearpass

Hello

 

Thanks for the quick reply!

Yes i already read this document.

But it is still not clear to me, if what i am seeing in clearpass is normal behavior?

I guess it is? i did not find a way yet to prevent it. ( the double authentication)

 

I would really appriciate your thoughts and input, thanks!

 

 

Guru Elite

Re: Always MAC authentication before 802.1X authentication in Clearpass

What is your configuration on the specific port?  I am assuming that you want to do 802.1x for wired devices and then mac authentication for devices that cannot do 802.1x?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Always MAC authentication before 802.1X authentication in Clearpass

Yes correct!

here is my switch config (192.168.1.1 is clearpass):

 

radius-server host 192.168.1.1 encrypted-key xxxxxxxxxxxxxxxxxxxxxxxx
radius-server host 192.168.1.1 dyn-authorization
radius-server host 192.168.1.1 time-window 0

 

aaa authentication port-access eap-radius
aaa port-access authenticator 1/1-1/48
aaa port-access authenticator 1/1-1/48client-limit 2
aaa port-access authenticator active
aaa port-access mac-based 1/1-1/48
aaa port-access mac-based 1/1-1/48 unauth-vid 1

Guru Elite

Re: Always MAC authentication before 802.1X authentication in Clearpass

This is switch behavior and it is not currently possible to change the authentication order. The result of the 802.1X authentication will always take precedence over the MAC Auth though.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Always MAC authentication before 802.1X authentication in Clearpass

Thanks Cappalli

 

So even when the Mac-auth is after the 802.1x auth?

The 802.1x auth will have precedence correct?

Guru Elite

Re: Always MAC authentication before 802.1X authentication in Clearpass

yes

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: Always MAC authentication before 802.1X authentication in Clearpass

 

With how it the switch does 802.1X+MAC auth currently we always get flooded with 'faulty' MAC REJECTS, that are most often 802.1X ACCEPTS.

 

This is very confusing to customers and makes certain reporting pretty useless.

 

Is there any push to get this behaviour changed (fixed imho)?

 

 

 


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II

Re: Always MAC authentication before 802.1X authentication in Clearpass

I woo would like to know. Kind of annoying to see a Access Reject on the MAC address of the device, when in fact it authenticated successfully via 802.1x.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: