Security

last person joined: 7 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Always MAC authentication before 802.1X authentication in Clearpass

This thread has been viewed 43 times

  • 1.  Always MAC authentication before 802.1X authentication in Clearpass

    Posted Aug 23, 2018 05:37 AM

    Hello

     

    I am using a 2930 aruba switch and i enabled mac-auth and 802.1x authentication on all the edge ports. i need both methods for laptops/phones/printers,...

    I configured a laptop to use 802.1x authentication and connected it on a port in the switch.

     

    In clearpass i can see that the 802.1x auth was succesfull, so no problems there, but it always tries to do mac-authentication aswell, even when the 802.1X auth was succesfull?

    Is this normal behavior?

     

    So technically if i would make a service for mac-auth and that same laptop would match that service too, it can overrule my 802.1x service?

     

    So my question is, should i add somthing in the switch config or clearpass config to allow only 1 authentication when 1 was already succesfull? 

     

    Thanks



  • 2.  RE: Always MAC authentication before 802.1X authentication in Clearpass

    EMPLOYEE
    Posted Aug 23, 2018 05:46 AM

    Before I attempt to answer, have you seen the ClearPass Wired Policy Enforcement Guide here?  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=28803

     

    It explains "Colorless Ports", where you do multiple authentications on a single port and how to process them.



  • 3.  RE: Always MAC authentication before 802.1X authentication in Clearpass

    Posted Aug 23, 2018 06:01 AM

    Hello

     

    Thanks for the quick reply!

    Yes i already read this document.

    But it is still not clear to me, if what i am seeing in clearpass is normal behavior?

    I guess it is? i did not find a way yet to prevent it. ( the double authentication)

     

    I would really appriciate your thoughts and input, thanks!

     

     



  • 4.  RE: Always MAC authentication before 802.1X authentication in Clearpass

    EMPLOYEE
    Posted Aug 23, 2018 06:04 AM

    What is your configuration on the specific port?  I am assuming that you want to do 802.1x for wired devices and then mac authentication for devices that cannot do 802.1x?



  • 5.  RE: Always MAC authentication before 802.1X authentication in Clearpass

    Posted Aug 23, 2018 06:09 AM

    Yes correct!

    here is my switch config (192.168.1.1 is clearpass):

     

    radius-server host 192.168.1.1 encrypted-key xxxxxxxxxxxxxxxxxxxxxxxx
    radius-server host 192.168.1.1 dyn-authorization
    radius-server host 192.168.1.1 time-window 0

     

    aaa authentication port-access eap-radius
    aaa port-access authenticator 1/1-1/48
    aaa port-access authenticator 1/1-1/48client-limit 2
    aaa port-access authenticator active
    aaa port-access mac-based 1/1-1/48
    aaa port-access mac-based 1/1-1/48 unauth-vid 1



  • 6.  RE: Always MAC authentication before 802.1X authentication in Clearpass
    Best Answer

    EMPLOYEE
    Posted Aug 23, 2018 11:17 AM

    This is switch behavior and it is not currently possible to change the authentication order. The result of the 802.1X authentication will always take precedence over the MAC Auth though.



  • 7.  RE: Always MAC authentication before 802.1X authentication in Clearpass

    Posted Aug 24, 2018 03:39 AM

    Thanks Cappalli

     

    So even when the Mac-auth is after the 802.1x auth?

    The 802.1x auth will have precedence correct?



  • 8.  RE: Always MAC authentication before 802.1X authentication in Clearpass

    EMPLOYEE
    Posted Aug 24, 2018 09:11 AM
    yes


  • 9.  RE: Always MAC authentication before 802.1X authentication in Clearpass

    MVP
    Posted Sep 10, 2018 09:38 AM

     

    With how it the switch does 802.1X+MAC auth currently we always get flooded with 'faulty' MAC REJECTS, that are most often 802.1X ACCEPTS.

     

    This is very confusing to customers and makes certain reporting pretty useless.

     

    Is there any push to get this behaviour changed (fixed imho)?

     

     

     



  • 10.  RE: Always MAC authentication before 802.1X authentication in Clearpass

    Posted Feb 27, 2019 11:09 AM

    I woo would like to know. Kind of annoying to see a Access Reject on the MAC address of the device, when in fact it authenticated successfully via 802.1x.



  • 11.  RE: Always MAC authentication before 802.1X authentication in Clearpass
    Best Answer

    EMPLOYEE
    Posted Mar 28, 2019 11:21 AM

    Just wanted to point out to anyone reading this thread that we added a feature in Aruba OS Switch release 16.08 to address this.

     

    Configurable order and priority of authentication methods

    Customers will now be able to precisely control the order in which different authentication methods are attempted and also assign priorities to the methods to have granular control of the authentication process. For more information, see the Access Security Guide.



  • 12.  RE: Always MAC authentication before 802.1X authentication in Clearpass

    MVP
    Posted Mar 28, 2019 11:42 AM

    Yup, already tested that.. finaly no more MAC span :D



  • 13.  RE: Always MAC authentication before 802.1X authentication in Clearpass

    MVP
    Posted Mar 29, 2019 07:47 AM

    Apparently this command was not added to 2920 switches?

     

    2920 access security guide v16.08 does not mention it and also the switch itself does not recognize the command :(



  • 14.  RE: Always MAC authentication before 802.1X authentication in Clearpass

    MVP GURU
    Posted Mar 29, 2019 11:24 AM
    @koen wrote:

    Apparently this command was not added to 2920 switches?

     

    2920 access security guide v16.08 does not mention it and also the switch itself does not recognize the command :(

    Yes from ArubaOS‐Switch Software Feature Support Matrix 16.08, it is not available on 2920...



  • 15.  RE: Always MAC authentication before 802.1X authentication in Clearpass

    Posted Aug 06, 2019 07:01 AM

    I've tried testing this setting, however I am seeing a (approx.) 60 sec delay when using mac auth.  Anyone else seen this?

    I'm testing with the same machine, simply using the 802.1x supplicant (auth happens straight away) and then disabling 802.1x to use mac (auths happens after 60 secs).

     

    Using command:

    "aaa port-access <port> auth-order authenticator mac-based"

     

    As soon as I remove this order from the port, both mac & 802.1x happen straight away!

    Thanks in advance!



  • 16.  RE: Always MAC authentication before 802.1X authentication in Clearpass

    EMPLOYEE
    Posted Feb 26, 2020 07:20 AM

    You should also reduce the time how long the switch wait for an 802.1x answer (default 30sec.)

    aaa port-access authenticator 2-4 supplicant-timeout 5  (now 5 sec.)