Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass MAB authentication with Cisco Phone

This thread has been viewed 6 times

  • 1.  Clearpass MAB authentication with Cisco Phone

    Posted Aug 06, 2020 09:22 AM

    Hello

     

    We have recently implemented ClearPass in our enviournment and facing some issues with end point authentications.

    Here is my port configuration which applies to all access ports connecting to domain PCs and Cisco phones:

     

     

    authentication host-mode multi-auth

     authentication order dot1x mab

     authentication priority dot1x mab

     authentication port-control auto

     authentication periodic

     authentication timer reauthenticate server

     mab

     dot1x pae authenticator

     dot1x timeout server-timeout 30

     dot1x timeout tx-period 15

     dot1x max-req 3

     dot1x max-reauth-req 3

     spanning-tree portfast

     

    And the issue we are facing is 1. all my Cisco phones are sending the authentication request to clearness multiple times a day and during the reauthentication some random phone they got REJECT and ended up registering on the voice gateway instead of call manager and after few second when same phone send the auth request again and it got ACCET and registered normally on CUCM. 

    Now Im not sure if Im missing any cmd on the switch port or do I need to configure something for the phones on call manager for phones don't send any re auth request until something is changed on the switch port ?

     

    2. All my PC even they configured for the Dot1x, it send out the MAC auth request first and getting reject and right after that it get ACCEPT on the dot1x, again is there any cmd missing on the switch port and why PCs also send the auth request multiple times a day ?

     

    I have open support case with Aruba TAC and they looked at the clearpass configuration and don't see anything wrong with it also according to TAC end point shouldn't send the auth request again and again until something is changes on the port, ie reboot the end point , connect/disconnect etc.

     

    And the Cisco TAC is saying the same, configuration looks good, nothing wrong with the ports on the switch, don't see anything on the logs.

     

    Can someone please advice what should be doing here to resolve this issue or if some else is faced the similar issue and had a fix for it ?

     

     

    Thanks



  • 2.  RE: Clearpass MAB authentication with Cisco Phone

    EMPLOYEE
    Posted Aug 10, 2020 04:15 AM

    There is not enough information in your post. Are the phones configured for 802.1X authentication or are they using MACAuth? If you see a REJECT, what is the reason that ClearPass sends a REJECT (answer in Access Tracker).

     

    Also, important to realize in the case of MAC Authentication that it is not the device (phone/PC) that is sending the authentication request, but the switch. The switch will do this when it sees a MAC address on the port that has not been authenticated yet (or expired).

     

    With 'authentication order dot1x mab', I would expect that the switch would first try 802.1X for 3 times 15 seconds, and when there is no response it will do a MAC authentication. It could be that if computers are in sleep mode or booting up, that it has sent out traffic already before the 802.1X supplicant starts up. If that takes longer than these 45 seconds, the PC will be MAC authenticated.

     

    If you have the Aruba support case still open, ask them to troubleshoot the REJECTs and the actual connection issues that you have, instead of just looking at the configuration.