Security

Reply
Highlighted
MVP

MAC auth on controller allowing user through even with failure

Hey - was testing something today in the context of ClearPass, and found something I wasn't expecting. When I enable MAC authentication (no ClearPass, just using internalDB as an example), and the authentication fails (as verified in logs), the user is placed in the initial role anyway and is allowed network access. Code is 8.4.0.2. Is this expected behavior? My AAA profile config has MAC auth default profile and MAC server group set as internal. Thanks 


Accepted Solutions
Highlighted
MVP

Re: MAC auth on controller allowing user through even with failure

@Herman Robers Think you are mistaken there.

 

@nbhave 

This has always been expected behaviour on the controller for OPEN or PSK SSID's.

 

On MAC-auth success you get the MAC-auth default role (or whatever role from the internal database if you server rules).

The MAC-auth faillure (reject) you get the initial role (which can be a 'deny all' or guest-logon if you need).

 

L2 Fail-through was (is) when you combine 802.1X and MAC-auth on a single SSID. Typically you stay far, FAR away from L2 fail-through (or better yet, use Clearpass). 

L2 fail-through result table:

l2-auth-fail-through.jpg


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found a post helpful or important? Click the "Thumbs Up" icon to give kudos.
-- Problem Solved? Click "Accept as Solution" in a post.

View solution in original post


All Replies
Highlighted
MVP Guru

Re: MAC auth on controller allowing user through even with failure

Is this wireless?

What is the encryption type for the SSID?

 

Assuming that it is Wireless with an open or WPA2-PSK SSID with only MAC authentication configured, I would expect that following an Access-Reject from ClearPass (or internal database) on the MAC authentication that the client will be rejected (no access and immediate disconnected) if L2 Authentication Fail Through is disabled. If that option is enabled, I would expect the Initial role to be applied.

 

Do you have ClearPass or other RADIUS server to verify if this is just when working with the internal database or also with an external authentication?

 

Please work with Aruba Support if this is your case and you see something different. If the situation is different, please provide more details.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
MVP

Re: MAC auth on controller allowing user through even with failure

@Herman Robers Think you are mistaken there.

 

@nbhave 

This has always been expected behaviour on the controller for OPEN or PSK SSID's.

 

On MAC-auth success you get the MAC-auth default role (or whatever role from the internal database if you server rules).

The MAC-auth faillure (reject) you get the initial role (which can be a 'deny all' or guest-logon if you need).

 

L2 Fail-through was (is) when you combine 802.1X and MAC-auth on a single SSID. Typically you stay far, FAR away from L2 fail-through (or better yet, use Clearpass). 

L2 fail-through result table:

l2-auth-fail-through.jpg


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found a post helpful or important? Click the "Thumbs Up" icon to give kudos.
-- Problem Solved? Click "Accept as Solution" in a post.

View solution in original post

Highlighted
MVP

Re: MAC auth on controller allowing user through even with failure

Got it - yeah I would have thought it'd be better to implement the MAC auth
in the controller at the 802.11 open system auth/assoc level so that L3
access to the medium is blocked completely upon MAC auth failure. But I get
what you mean. Thanks guys!
Highlighted
MVP

Re: MAC auth on controller allowing user through even with failure

With Clearpass this becomes more logical imho.

 

On an OPEN SSID with Clearpass I typically use Allow All MAC-auth (to avoid access tracker filling up with rejects) and then have Clearpass send back a guest-logon role or a proper access role.

 

 


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found a post helpful or important? Click the "Thumbs Up" icon to give kudos.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: