Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Domain check fails as username sent as mac address

This thread has been viewed 5 times

  • 1.  Domain check fails as username sent as mac address

    Posted Mar 26, 2018 05:52 AM

    We have configured Clearpass to do both User and Machine Authentication. If the end devices are domain machines and user is successfully authenticated then it is given full access. If the end device is not a domain machine, then it is put in a VLAN which will allow it to be joined into the domain.

     

    The problem is that the machine when connecting to network sends both mac address as well as domain\user as the username. The domain check fails when the username is mac address and the machine is put into the domain join VLAN inspite of the machine being in the domain. I get the following alert for these machines.

    RADIUSSV_PrimaryDomainController - 172.31.0.25: User not found.
    EAP: Client doesn't support configured EAP methods

    Since the order in which the username is passed to clearpass is random, the machines are randomly put into Domain Join VLAN. All machines send both mac address as well as domain/user as username but the order is random.

     

    Is there a way that I can ignore the username being send as mac address and only consider the request where the username is in the format domain/username?

     

    There are non-dot1x devices like printer in the network which are allowed access to network without the domain check.



  • 2.  RE: Domain check fails as username sent as mac address

    EMPLOYEE
    Posted Mar 26, 2018 11:14 AM

    You will see MAC address as username only with the MAC authentication.

     

    Can you please explain more about your setup?



  • 3.  RE: Domain check fails as username sent as mac address

    Posted Mar 26, 2018 11:40 AM

    Hi,

     

    We are having Cisco SG300 switches as access switches. The Cisco SG300 switches are configured for both 802.1X as well as MAC authentication as there are non-dot1x equipments like Printers and Access Points connected to the same switches and we want to use the Mac Authentication Bypass for these devices.

     

    Since the switch sends the required authentication details for 802.1X enabled devices through 802.1X, I want to ignore the MAC address being sent as username for these devices. Since the Clearpass Service sees these MAC address being sent as username subsequent to the username being sent as domain/user, it causes the end device to be moved to the Domain join VLAN eventhough the end device is already in Domain. Also sometimes the MAC address as username arrives prior to the username as domain/user.