Security

Hello,

 

Is there any order need to follow for dot1x and Mac authentication. Sometimes, some machines which are in domain connected with Mac authentication even they were enabled for dot1x authentication. We are using Juniper EX switches. Here is the policy order we have:

 

1. Mac authentication - Juniper (Authentication Method: EAP-MD5, Source: Endpoint repository

 

2. Juniper_web_authentication for Guests

3. Dot1x service for wired endpoints - Juniper

 

4. OnGuard Wired Posture Policy

 

Thanks in advance.

 

Yugandhar.

The order looks good to me. In fact, only the MAC authentication service (1) needs to be before the 802.1X service (3), which you have done correctly.

 

ClearPass will start top-down through the Services, and first tries to match on the type of authentication RADIUS/WebAuth/TACACS/App. So the Guest and OnGuard will not interfere with the RADIUS services, regardless of what order you select. The MAC Authentication needs to be before 802.1X as these are both RADIUS and from the same devices. By checking if the username matches the MAC address, you can catch those requests in the right service. If you have the 802.1X first in the list, all requests would go there.

Do you have enabled authentication-order in the Juniper switch?

Sent from Mail for Windows 10

Here is the config in Juniper switch:


set access profile Clearpass-profile authentication-order radius

Thanks,
Yugandhar

Get Outlook for iOS

You can define the order in which the authentication will happen : first 802.1X and then mac auth if the switch doesn’t receive the eapol frame
authentication-order [dot1x | mac-radius

Sent from Mail for Windows 10