Security

last person joined: 9 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MAC auth on controller allowing user through even with failure

This thread has been viewed 21 times

  • 1.  MAC auth on controller allowing user through even with failure

    Posted Feb 04, 2020 05:49 PM

    Hey - was testing something today in the context of ClearPass, and found something I wasn't expecting. When I enable MAC authentication (no ClearPass, just using internalDB as an example), and the authentication fails (as verified in logs), the user is placed in the initial role anyway and is allowed network access. Code is 8.4.0.2. Is this expected behavior? My AAA profile config has MAC auth default profile and MAC server group set as internal. Thanks 



  • 2.  RE: MAC auth on controller allowing user through even with failure

    EMPLOYEE
    Posted Feb 05, 2020 04:05 AM

    Is this wireless?

    What is the encryption type for the SSID?

     

    Assuming that it is Wireless with an open or WPA2-PSK SSID with only MAC authentication configured, I would expect that following an Access-Reject from ClearPass (or internal database) on the MAC authentication that the client will be rejected (no access and immediate disconnected) if L2 Authentication Fail Through is disabled. If that option is enabled, I would expect the Initial role to be applied.

     

    Do you have ClearPass or other RADIUS server to verify if this is just when working with the internal database or also with an external authentication?

     

    Please work with Aruba Support if this is your case and you see something different. If the situation is different, please provide more details.



  • 3.  RE: MAC auth on controller allowing user through even with failure
    Best Answer

    MVP
    Posted Feb 05, 2020 11:51 AM

    @Herman Robers Think you are mistaken there.

     

    @nbhave 

    This has always been expected behaviour on the controller for OPEN or PSK SSID's.

     

    On MAC-auth success you get the MAC-auth default role (or whatever role from the internal database if you server rules).

    The MAC-auth faillure (reject) you get the initial role (which can be a 'deny all' or guest-logon if you need).

     

    L2 Fail-through was (is) when you combine 802.1X and MAC-auth on a single SSID. Typically you stay far, FAR away from L2 fail-through (or better yet, use Clearpass). 

    L2 fail-through result table:

    l2-auth-fail-through.jpg



  • 4.  RE: MAC auth on controller allowing user through even with failure

    Posted Feb 05, 2020 11:56 AM
    Got it - yeah I would have thought it'd be better to implement the MAC auth
    in the controller at the 802.11 open system auth/assoc level so that L3
    access to the medium is blocked completely upon MAC auth failure. But I get
    what you mean. Thanks guys!


  • 5.  RE: MAC auth on controller allowing user through even with failure

    MVP
    Posted Feb 05, 2020 12:04 PM

    With Clearpass this becomes more logical imho.

     

    On an OPEN SSID with Clearpass I typically use Allow All MAC-auth (to avoid access tracker filling up with rejects) and then have Clearpass send back a guest-logon role or a proper access role.