Security

Dear All,

we are implementing NAC in our company, we already configured our Aruba clearpass and cisco switch.

we find two main issues.

1- sometimes on first login we didn't get the auth so we have to logout and login with an admin account to obtain the auth and a valid ip address, after switch back to normal user and we are done for days.

(this could be a big problem as all other user outside the IT doesn't have an account with admin rights).

 

2- in other building of the company that are connected via MPLS laptop insted pass the hostname request auth with mac address. it's strange because switch are configured in the same exact way and machine are all the same created with image.

 

hope someone could help me.

thanks.

 

Marco

Question:

Who setup the switches and clear pass?

Hi Colin,

both were previously configured but our external supplier, but i can access and change configuration on both device.

to be more clear, we have a CA certificate installed on clearpass and on machine in trusted root, AD as source for auth.

and cisco switch global:

 

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.20.0.23 server-key 7 ****************
port 3799
auth-type all

crypto pki certificate chain TP-self-signed-1980940132
certificate self-signed 01

***
quit
network-policy profile 1
voice vlan 126 cos 4
dot1x system-auth-control

 

port configured as:

interface GigabitEthernet1/0/3
switchport access vlan 105
switchport mode access
switchport voice vlan 126
switchport port-security maximum 2
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast

 

tell me if you need more.

 

Marco

 

The reason why I ask, is that any change that we make could break something else unless the entire configuration is reviewed on the switch, clients and Clear pass. If you have a specific issue, you should try to get your external supplier to fix it, if possible, because he/she knows why he did what was done. If that is not possible, you should open a TAC case so they can look at it in detail and come up with a re commendation.

If you are okay with advice here, please know that our advice from only having access to part of the problem could break something...

At the moment i can't broke things since we are in a POC so only 5-10 users could be affected. 

So if you have any advice i can modify things w/o problems.

 

BR

 

Marco

Machine authentication only occurs at the ctrl-alt-delete screen of Windows and does not require user intervention. That is unless the wired profile of the client has been manipulared to only send user or only send machine credentials. Much of this has very little to do with the switch port configuration. What are the access tracker details when machine authentication fails?

we have SSO with full disk encription provided by Endpoint Checkpoint.

latest error occure yesterday morning was on user account, i attached the dasboard details.

 

after i get no auth. i log off login with my other account that is administrator get auth and switch back.