Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MAC Authentication on RAP is allowing any MAC despite internalDB being empty

This thread has been viewed 0 times

  • 1.  MAC Authentication on RAP is allowing any MAC despite internalDB being empty

    Posted Oct 08, 2015 12:02 PM

    Hello

    I have:

    Model:Aruba3600
    Version:6.3.1.5

    & Clearpass, although I didn't make any changes to clearpass for access via Eth1 port on RAPS, I tried using internal DB.

    RAP-3WNP

     

    Using a RAP-3WNP I wish to use eth1 interface for printer access on VLAN 50 using MAC address. I am using a AP Apecific config under testing and once proven will roll out config to the AP Group:

    Config:

    RAP-3WNP eth1:

    Shut down                                       Unticked
    Remote-AP Backup                         Tick
    Bridge Roleauthenticated
    Time to wait for authentication to succeed
     sec 20
    Spanning Tree

     Unticked

    default-mac-auth

     

    Wired AP enable                 Tick
    Trusted                                Unticked
    Forward modetunnel
    Switchport modeaccess
    Access mode VLAN50
    Trunk mode native VLAN 1
    Trunk mode allowed VLANs1-4094
    Broadcast                                        Unticked
    Initial rolelogon
    MAC Authentication Default Roleauthenticated
    802.1X Authentication Default RoleGuest
    L2 Authentication Fail Through                  Unticked
    User idle timeout
    Enable
    seconds

     

     
    MAC Authentication Profiledefault
    MAC Authentication Server Groupdefault
    802.1X Authentication Profile 
    802.1X Authentication Server Group 
    RADIUS Accounting Server Group 
    XML API server 
    RFC 3576 server

     

    Authentication - internal DB (note the MAC account in internal DB is disabled and could still access newtork). RAP was rebooted twice.

     
    Internal DB
    Maximum Expiration min
    This account is disabled
    f01faf46375e******company_Employee No 0.0.0.0  


  • 2.  RE: MAC Authentication on RAP is allowing any MAC despite internalDB being empty

    EMPLOYEE
    Posted Oct 08, 2015 12:48 PM

    If you have a AAA profile attached to a wired port, the initial role is what a user gets and if they fail mac authentication, that is the role they stay in.  By default the initial role of logon allows DHCP.



  • 3.  RE: MAC Authentication on RAP is allowing any MAC despite internalDB being empty

    Posted Oct 09, 2015 07:15 AM

    Thanks for your response, my test RAP is at home for me to look further into what I can do. However, I had my laptop on as test device with a static IP related to the printer VLAN, the only thing I tried after disabling the MAC user account in the internal DB was a ping and as that worked I assumed (without checking further) there was a greater security / privilage issue occuring.

     

    So will the logon "initial role" restrict further access rights other than DHCP / ping? If it does allow more privelages is there another initial role I should use?

     

    Thanks

    Tony



  • 4.  RE: MAC Authentication on RAP is allowing any MAC despite internalDB being empty

    EMPLOYEE
    Posted Oct 09, 2015 07:25 AM

    You should create a new role that restricts traffic that you don't want to happen initially and assign that to the initial role of that AAA profile.  You don't want to edit the built-in logon role, because it is tied to other things.  The initial role is used, so that devices that fail are given the option to connect other ways.  The logon role would allow the user to open a captive portal to login, if they fail mac authentication.