Security

Reply
Occasional Contributor II

Clearpass with Cisco switches MAB auth

Hi all,

 

I have a possible client which has mixed Cisco - HPE switches insfrastucture.

 

I got 3 cisco switches from client and all Cisco switches fail with Clearpass  MAC autentication.

 

Clearpass throw 209 error

Error Code:
209
Error Category:
Authentication failure
Error Message:
No password in request
 Alerts for this Request 
RADIUSMAC_AUTH: No password in request. Not attempting MAC authentication
Cannot select appropriate authentication method

Cisco 3750X configuration

Switch#show running-config

Building configuration...

 

Current configuration : 4281 bytes

!

! Last configuration change at 12:01:50 UTC Fri Feb 23 2018 by admin

! NVRAM config last updated at 10:06:05 UTC Fri Feb 23 2018 by admin

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Switch

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$ykzb$3mQhJsjo/dCTptF5AN5j40

!

username admin privilege 15 password 0 admin

!

!

aaa new-model

!

!

aaa authentication login testas local

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

!

!

aaa session-id common

switch 2 provision ws-c3750x-24

system mtu routing 1500

!

!

ip domain-lookup source-interface Vlan177

ip name-server 8.8.8.8

!

!

crypto pki trustpoint TP-self-signed-4086047360

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4086047360

revocation-check none

rsakeypair TP-self-signed-4086047360

!

!

crypto pki certificate chain TP-self-signed-4086047360

certificate self-signed 01

3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 34303836 30343733 3630301E 170D3933 30333031 30303031

32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30383630

34373336 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100ADD8 21B767E5 7B4BDB3B F4F6DBE3 E4EF7D22 80F440CF EC6A3412 AE5DC72E

8AD6CE76 84D8C9DC B19664C6 6D677143 FE1EF96D C544A3AE F29C99F6 E508F11E

CD1CC649 ED610A15 0CFCEE8F 05B1CE32 1C0EB3B4 18B673F3 A5F08512 89FBBF9E

5D3FD3D3 CCC19BDA E7D81BBD 520F189B 32471928 9F096AAD A7171EAA A3418E71

B6770203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603

551D1104 0B300982 07537769 7463682E 301F0603 551D2304 18301680 144DE7D5

C032F8D6 6D038B0E 26BE1F5B 827C338B 2F301D06 03551D0E 04160414 4DE7D5C0

32F8D66D 038B0E26 BE1F5B82 7C338B2F 300D0609 2A864886 F70D0101 04050003

81810009 25834ED0 40D5E759 B7830546 619C7EE3 F2404CA4 95B436DE 2A391A44

3E9EC6EF DC8A86CB 83EEE40F 562FC198 38669771 972BC08D B4728177 80788EBA

1878114B FB87B175 E86024B3 FCA46B3F 266E35E3 6DAD1C60 BEE10020 BDDA022A

951E996C 17C9CA7E A1DFB1ED 7C1BC8C6 46F3F871 603942F5 5C18F03D 7E114819 C4AB86

quit

dot1x system-auth-control

spanning-tree mode pvst

spanning-tree extend system-id

!

!

!

!

vlan internal allocation policy ascending

!

!

!

interface FastEthernet0

no ip address

shutdown

!

interface GigabitEthernet2/0/1

switchport mode access

authentication port-control auto

dot1x pae authenticator

!

interface GigabitEthernet2/0/2

switchport mode access

authentication port-control auto

mab eap

!

interface GigabitEthernet2/0/3

!

interface GigabitEthernet2/0/4

!

interface GigabitEthernet2/0/5

!

interface GigabitEthernet2/0/6

!

interface GigabitEthernet2/0/7

!

interface GigabitEthernet2/0/8

!

interface GigabitEthernet2/0/9

!

interface GigabitEthernet2/0/10

!

interface GigabitEthernet2/0/11

!

interface GigabitEthernet2/0/12

!

interface GigabitEthernet2/0/13

!

interface GigabitEthernet2/0/14

!

interface GigabitEthernet2/0/15

!

interface GigabitEthernet2/0/16

!

interface GigabitEthernet2/0/17

!

interface GigabitEthernet2/0/18

!

interface GigabitEthernet2/0/19

!

interface GigabitEthernet2/0/20

!

interface GigabitEthernet2/0/21

!

interface GigabitEthernet2/0/22

!

interface GigabitEthernet2/0/23

!

interface GigabitEthernet2/0/24

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

!

interface GigabitEthernet2/1/1

!

interface GigabitEthernet2/1/2

!

interface GigabitEthernet2/1/3

!

interface GigabitEthernet2/1/4

!

interface TenGigabitEthernet2/1/1

!

interface TenGigabitEthernet2/1/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan177

ip address 192.168.77.94 255.255.255.0

!

ip default-gateway 192.168.77.1

ip classless

ip http server

ip http secure-server

!

snmp-server community testas RW

radius-server host 192.168.77.80 auth-port 1812 acct-port 1813 key testas

!

!

line con 0

line vty 0 4

login authentication testas

transport input telnet

transport output telnet

line vty 5 15

!

ntp clock-period 36027705

ntp server 91.207.136.55

end

 

Clearpass configuration

 

 

Maybe anyone have some ideas how to resolve this, maybe my cisco switches configuration is bad or clearpass configuratio  need any addtional configuration?

Maybe MAB request format should be changed?

 

Please help, its possible large deal form me :)

 

 

If someone have any ideas I can add full clearpass configuration

 

Guru Elite

Re: Clearpass with Cisco switches MAB auth

http://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Guru Elite

Re: Clearpass with Cisco switches MAB auth

Please try the Clearpass Wired Policy Enforcement document here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=28803

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: Clearpass with Cisco switches MAB auth

Thank you, this doc solved my problems :)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: