Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MAC Authorization with 802.1x Wired or Wireless service

This thread has been viewed 3 times

  • 1.  MAC Authorization with 802.1x Wired or Wireless service

    Posted Mar 30, 2019 05:13 AM

    I would like to user MAC authorization with 802.1x service thus if both user (AD user ) and pc (MAC in white list NOT memeber of AD) authenticated , allow access.

    - How can i use MAC as Authorization source with 802.1x Service ?

    - Can i add MAC as username and password in local users and then use Local User Repository in authorization tab ?

    - How would be the rules of enforcement policy , can be somthing like authorization AD, memeber of group X.

    And

    authorization Local User Repository, role name = Y

    ??



  • 2.  RE: MAC Authorization with 802.1x Wired or Wireless service

    EMPLOYEE
    Posted Mar 30, 2019 10:50 AM
    Why use MAC address when it can be spoofed? EAP-TLS is recommended to solve these use cases.


  • 3.  RE: MAC Authorization with 802.1x Wired or Wireless service

    Posted Mar 31, 2019 02:02 AM

    Because PCs are not member of company domain.

    Is above applicable ?



  • 4.  RE: MAC Authorization with 802.1x Wired or Wireless service

    MVP EXPERT
    Posted Mar 31, 2019 09:20 AM

    You could use the ClearPass Onboarding to achive this, but its licenced.

     

     



  • 5.  RE: MAC Authorization with 802.1x Wired or Wireless service

    Posted Mar 31, 2019 03:05 PM

    I am looking for a method other than on board.

    can any one help ?



  • 6.  RE: MAC Authorization with 802.1x Wired or Wireless service

    MVP EXPERT
    Posted Mar 31, 2019 04:37 PM

    Hi Sultan77,

     

    A device does not necessarily have to be AD joined to use EAP-TLS.

    First of all, the CA-Root (and intermediate) certificate must be installed on the endpoint in order to validate the Clearpass Radius Server certificate.

    In addition, a computer / user certificate must be installed on the endpoint of your own PKI infrastructure.

    Clearpass must have the CA-Root (and intermediate) certificate with which the endpoint computer / user certificate is created in its trust store to be able to validate the computer / user certificate.

    I think the biggest challenge is that it requires a high management effort. You must also be able to issue PKI certificates to "unknown" endpoint devices, which can be a security risk.

    I wonder if other people have another solution in mind here.


  • 7.  RE: MAC Authorization with 802.1x Wired or Wireless service

    EMPLOYEE
    Posted Mar 31, 2019 04:40 PM

    Configuring unmanaged devices for 802.1x can also be a chore, as well as maintaining lists of mac address to users.



  • 8.  RE: MAC Authorization with 802.1x Wired or Wireless service

    Posted Apr 07, 2019 03:28 AM

    Hi CJoseph,

    How can i use MAC authorization and 802.1x authentication ?

    To allow specific MACs to specific resources.



  • 9.  RE: MAC Authorization with 802.1x Wired or Wireless service

    MVP EXPERT
    Posted Apr 07, 2019 04:47 AM
    You can create a extra attribute field in the endpoint database and use this endpoint database attribute in your enforcement policy.