Security

I’m trying to configure 802.1x machine+user authentication in wired Cisco network. I’m using ClearPass Policy Manager 6.8.3.110034.

In my 802.1x service I want Endpoint attribute to be set to true after machine is authenticated successfully.

If user is trying to authenticate than, “MachineAndUserAuthenticated-Role” role is applied if Endpoint attribute was set to true.

If “MachineAndUserAuthenticated-Role” role was applied after successful authentication, user is authorized to access VLAN2, if not user is authorized to access VLAN1.

This configuration is working well except one case. After a machine is authenticated successfully Endpoint is added to Endpoints repository and it has custom Endpoint attribute set to true. I have also set “Machine Authentication Cache Timeout” to one hour

I wanted to test if after one hour user will be authorized to access VLAN2 if machine authentication won’t be executed again. I expected it won’t be possible but user Is authorized to access VLAN2 no matter how long I’m waiting(1,2,3h…). To make sure that successful machine authentication won’t occur again I’m temporarily modifying a rule to make sure this won’t be matched.

After I manually delete endpoint from repository it is working as expected – endpoint attribute is not being set to true after machine authentication and user is authorized to access VLAN1 only.

I made this configuration based on some examples found on forum. I thought Endpoint attribute will be cleared after “Machine Authentication Cache Timeout” will pass but maybe I didn’t understand the concept. Can someone tell me how to make this configuration to make sure that user won’t be authorized to access VLAN2 if “Machine Authentication Cache Timeout” was passed and machine wasn’t authenticated again?

If a user successfully passes authentication with the same mac address, the machine authentication timeout will be renewed.

is timeout renewal also possible after machine authentication timeout has been passed long time ago?

Does it mean that naext time I don't have to use machine with valid certificate and I can just use some machine with the same mac address?

---

@mrzepecki wrote:

is timeout renewal also possible after machine authentication timeout has been passed long time ago?

Does it mean that naext time I don't have to use machine with valid certificate and I can just use some machine with the same mac address?

---

Timeout renewal is not possible after machine timeout has passed.  It can be renewed by a machine or user authentication with the same mac address if the timeout has not passed.  If it has passed, only a new machine authentication can restart it.

If the timer has not expired any valid 802.1x authentication with the same mac address would renew the machine authentication cache.

The most secure organizations use machine-only authentication with an eap-tls certificate and do not rely on the machine authentication cache.

What is the idea behind custom endpoint attribute? Does it ever go false or null in natural CPPM workflows? What is the goal to use it as some examples show to do?

---

@mrzepecki wrote:

What is the idea behind custom endpoint attribute? Does it ever go false or null in natural CPPM workflows? What is the goal to use it as some examples show to do?

---

The custom endpoint attribute never goes false or null and it is persistent.  This is mac address-based however, and a device that fakes the mac address of a device that has already machine authenticated would get elevated privileges.  It is better from a security perspective to just deploy machine-only authentication with EAP-TLS machine certificates to avoid all of those issues.