Security

HI,

 

I want to create a 802.1X service to check the device from the static endpoint list and allow VLAN as per the device type like: 

IP Phone –VLAN10

Printer--VLAN20

 

Please help.

 

Regards,

PRASANTH.

Add devices to static hosts list group
Then in the enforcement policy create the following rule:
Connection > MAC address > Belongs to group ( static hosts list group) -----send VLAN 20 profile

Hi,

 

As per your suggestion, if I create a enforcement policy like 

Connection > MAC address > Belongs to group ( static hosts list group) -----send VLAN 20 profile

 

All the device MAC address added in the static hosts list will get a VLAN 20, here I want to assign VLAN according to the decive type like IP phone or Printer without doing the profiling.​​​​​

In order for CPPM to determine the type of device you will need to do profiling .

Are these devices on wired or attached to an Aruba AP ?

Is it not possible to assign different enforcement policy without doing profiling?

If you were doing 802.1x then yes it would be possible without profiling, you could match on some element of the EAPoL exchange (MS-CHAP username, cert CN etc).  You are saying you want to use just a static endpoint so no two way communication with the phone or printer, therefore device profiling is the only way to glean information about the client device.

 

You can do something like this:

Hi,

 

I have tried configuring the service authentication as follows:

 

Authentication type: MAC

Authentication Source: Static Host List

 

But I am getting the below error:

 

MAC_AUTH: No password in request. Not attempting MAC authentication

Cannot select appropriate authentication method

​​​​​

What is the network device you're using? You need to configure it to send the MAC address as the username and password.


Thanks,
Tim

Hi,

 

I am using Juniper  EX 6200. What if I don’t want to authentication. Just needs to check if the device is in the endpoint  or static host list. How I need to configure?

 

Please help.

 

Regards,

Prasanth.

You're authenticating the port by doing that check.

Please post your Juniper AAA config.


Thanks,
Tim

Hi,

 

PFA document, I am using the same switch for 802.1x authentication for the users connecting on the port.

Hi

 

Any Update?

Hi Prasanth,

 

Please add EAP-MD5 to your authentication methods as the juniper devices only send the username and not the password. I've had this issue with juniper switches EX4200 and adding the mentioned authentication method to my service fixed it.

 

let me konw if it works for you,

 

Hi,

 

Thank you very much, its working if I select MD5 as a authentication method for the juniper switch. I have a one more query here, what if I need to authenticate with a cisco switch using the same service, which method do I need to select or any other configuration is required to do on the switch.

 

Please let me know.

​​​​​

Regards,

PRASANTH.

Glad I can help.

With Cisco switches MAC auth should work fine. Unlike the Juniper Switches, Cisco switches do MAC auth with the username and the password being the Client's MAC address.

You can assign different enforcement policies if you use the static host lists by making a Printer group and IP Phone group but you cant make decision based on the type of device since CPPM doesnt have that information in the endpoint database