Security

Hopefully I'm just going about this in a wrong way and someone can readjust my understanding.

 

I have CPPM running, set up with a service and all that entails, and running on a Brocade L2 switch.

 

I have confirmed that 802.1x works beautifully as intended. Now I'm trying to simulate what would happen if a guest came to our network and plugged in. By default, a Windows laptop isn't going to have 802.1x enabled and configured. So I removed a laptop from the domain, disabled 802.1x, created a local account and plugged it in.

 

On the Brocade switch I have the dot1x configuration set to restrict the vlan on failure to a guest VLAN. Additionally, I have the ports set to dotx port-control auto - by default, Brocade forces ports to be authorized. In this case, auto means not authorized until it completes the intial exchange with the auth server.

 

I assumed that because it's not on the domain and not an AD account, when the laptop was plugged in, it'd simple fail the 802.1x auth because it's also not set up for it. And then at that point, the switch would "quarantine" it in the failure VLAN which just grants internet access.

 

The second issue is, I don't see -anything- in the monitoring on the CPPM server. I assume that's because my service is set up for 802.1x. So I read some threads on here and noted someone talking about creating a Mac-auth service with allow all Macs, if it doesn't recognize a mac, send it to the guest VLAN. I set that service up but still no joy - not seeing any traffic through the monitoring service, and it's just dropping traffic on the switch instead of putting it in the failure VLAN.

 

I'm having a hard time determining if this is a Brocade or CPPM issue at this point. Ultimately, the way I'd like things to work when I'm done is:

 

1. Use 802.1x - match enforcement policy, get profile pushed. Done.

2. Can't use 802.1x? Are you one of these vendor MAC addresses? Get matched, profile pushed. Done.

3. Don't use 802.1x AND don't match a vendor MAC address we use? Get pushed the default guest profile, internet only. Done.

 

Any help/suggestions would be appreciated!

Last I knew, Brocade does not support MAC fallback/bypass.

According to Brocade and Aruba, they should. I have the following configured on the switch:

 

dot1x-enable
 re-authentication
 servertimeout 10
 timeout re-authperiod 10
 auth-fail-action restricted-vlan
 auth-fail-vlanid 901
 mac-session-aging no-aging permitted-mac-only
 enable all

 

If you think it's a Brocade issue, I'll ask them again and verify. Perhaps it's the model I'm using? Or perhaps it requires additional configuration? I guess we'll see. If anyone has more thoughts or ideas, please let me know. I'll report back once I've talked to Brocade.

Still working with Brocade. I removed all settings, restarted devices, readded settings and now I have it passing both mac and 802.1x, which is nice. So one step forward. I can even get both to authenticate fine! Problem is, which is what you might have been referring to cappali, is that even when I get mac authentication in the event of a device that doesn't use 802.1x, using the dotx port-control auto functionality means the port is still unauthorized because it hasn't checked in with the 802.1x auth server. The port switches to the correct VLAN, but it won't pass traffic. Bah. I'll update when I know more.

OK, figured it out. After opening up a ticket, I was sent a Foundry security configuration guide - why it's still called Foundry versus Brocade, I don't know. But I was unable to find similar material on their website via searches.

 

Anyway, they wanted a VSA for a specific attribute passed by the RADIUS server. This required me enabling an old Foundry dictionary on ClearPass and configuring the following in one of the enforcement profiles:

 

Radius:Foundry    Foundry-MAC-Authent-needs-802.1x    =     0

 

Once that was added and passed back to the switch on an accepted mac auth, everything worked beautifully.