Using a Cisco 3750x and a test laptop with 802.1x authentication off. Trying to get ClearPass to allow access via MAC Authentication. Created a Service with the following parameters:
Service Tab
Type = Connection, Name = Client-MAC-Address-NoDelim, Operator = EQUALS, Value = %{RADIUS:IETF:User-Name}
Type = Radius:IETF, Name = NAS-Port-Type, Operator = EQUALS, Value = Ethernet (15)
Type = Radius:IETF, Name = Service-Type, Operator = EQUALS, Value = Call-Check (10)
Authentication Tab
Authentication Method = [Allow All MAC AUTH]
Authentication Sources = [Endpoints Repository][Local SQL B]
Authorization Tab
Additional authorization.... = [Endpoints Repository][Local SQL DB]
Roles Tab
-NONE- We are not using roles. Just a basic allow/deny. The VLAN configured on the switchport will be used for VLAN assignment.
Enforcement Tab
Default Profile = [Deny Access Profile]
Rules Evaluation Algorithm = first-applicable
Conditions = Authorization:[Endpoints Repository]:Category EQUALS Computer AND
Authorization:[Endpoints Repository]:Status EQUALS Known
Enforcement Profiles = [Allow Access Profile]
Profiler Tab
Endpoint Classification = Any Category/OS Family/Name
RADIUS CoA Action = [Cisco - Terminate Session]
Here is how the Cisco switch port is configured:
interface GigabitEthernet1/0/1
switchport access vlan 29
switchport mode access
switchport voice vlan 129
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast
end
With all of that configured, the laptop does not get on the network. Access tracker shows the following:
This makes sense because the Service is set to look for the Category of "Computer" and a Status of "Known" in the Endpoints DB. However, ClearPass will not fully profile the device so that it can be classifiied as a Computer. The Profiled status is 'no'.
What am I missing here? Why won't ClearPass profile this device? Once profiled it should get on with no problems, but getting to this point has been quite challenging. What is the flow of a MAC Auth? Does the device need to be allowed on with DHCP only in order to be fingerprinted, THEN have the Service applied? Confused as to the flow.