Security

Reply
Occasional Contributor II

Clearpass - Known endpoint - multiple MAC authentication sources

Hi all, hoping you can assist! (running latest 6.8.1 service pack)

 

I've added an additional sql database as an authentication source (contains MAC addresses amungst other attributes).  What I'm finding is if I use this in a service with endpoint reposity authentication source also configured, I am unable to authenticate the device when using in a MAC auth service.

 

If I use the authentication source on its own in a service (can be the exact same service or copy service) the authentication/autorization succeeds and there is no error in the access tracker!

 

After some troubleshooting, it turns out this is down to the known flag for the endpoint.

If known endpoint the service rejects, if unknown endpoint the service authorizes correctly.

 

Could someone explain this behaviour?


When authenticating devices with 802.1x we are setting the known flag - I suppose we could not bother doing this, but it would be helpful to understand pro's & con's.

 

Thanks in advance!

Regular Contributor I

Re: Clearpass - Known endpoint - multiple MAC authentication sources

Are you using any service rules on the service that may prevent the request from hitting the service?



- - - - Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE - - - -
- - - - - - - Feel free to give kudos or accept as a solution! - - - - - - - - -
Occasional Contributor II

Re: Clearpass - Known endpoint - multiple MAC authentication sources


@Fabian Klaring wrote:

Are you using any service rules on the service that may prevent the request from hitting the service?


Thanks for responding, nothing special, just out of the box:

CPPM-MAC-ServiceRules.jpg

and not forgetting that changing the known and unknown flags for the endpoint changes the behaviour.

Occasional Contributor II

Re: Clearpass - Known endpoint - multiple MAC authentication sources

Anyone any further thoughts on this one?  The difference between known and unknown endpoints basically?

(Updated to 6.8.2 with same result)

Aruba Employee

Re: Clearpass - Known endpoint - multiple MAC authentication sources

Are you using the default [Mac Auth] method?

 

Go to Authentication > Methods. Click on the one you are using and check whether "Allow Unknown endhosts" is enabled or disabled.

Occasional Contributor II

Re: Clearpass - Known endpoint - multiple MAC authentication sources

Thanks for the prompt reply,

Am using the "Allow All MAC Auth" as this one has allow unknown endpoints ticked. 

(you are correct , the default Mac Auth doesn't have unknown endpoints ticked, but not using that one).

 

Highlighted
Aruba Employee

Re: Clearpass - Known endpoint - multiple MAC authentication sources

There is somethig else at play here. If you are using Allow All MAC Auth, only use Endpoint Repository as Authentication Source and use your external DB for Authorization only.

You can paste screenshots of your service or simply call support to fix it.

Occasional Contributor II

Re: Clearpass - Known endpoint - multiple MAC authentication sources

Thanks for the reply, yes just leaving the defualt endpoints repository as the authentication source and adding the external DB to authorization sources does the trick!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: