Security

Reply
Occasional Contributor II

MAC which are not configured in endpoint still get authenticated

Aruba clearpass version : 6.6.0.81015 Problem faced ================ The MAC which are not configured in the endpoint repository still could get access Topology ============= Arubaclearpass---------Nokia7360------ONT----STC(act as dot1x client) configuration done =================== 1) Added user name in local repository 2) MAC address of the user added to Endpoint repository 3) Authenticating user and additional authorising based on the endpoint Went through the https://community.arubanetworks.com/t5/Security/Endpoints-database-and-the-Available-Attributes/td-p/93704 still could not get it work. So can anyone let me know what is the thing missed here. How to configure this correctly Attached the service configuration and tracker info log

Re: MAC which are not configured in endpoint still get authenticated

First question would be why are you running 6.6.xxx. You need to be on the latest 6.6 or 6.7. There are many bug fix and features added since. 6.6.0.

Unfortunately any real security conscience person will not download and open a unknown zip file on a forum.

You need to post screen shots of the tabs and details of the enforcement policy. also a screen shot of access tracker of the device that was let on that didnt fit your rules.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: MAC which are not configured in endpoint still get authenticated

service-used.PNGService summaryaccesstrack-input-part1.PNGaccess tracker-input-part1accesstrack-input-part2.PNGAccess tracker-input-part2enforcement-policy.PNGEnforcement-policy

Occasional Contributor II

Re: MAC which are not configured in endpoint still get authenticated

Hi,

Attached the snap shots. Already informed IT team to upgrade.

We use Aruba clearpass for Interop testing not for actual deployment.

Our customer will be using Aruba Clearpass for their deployment.

 

Thanks,

S.Muthukannan

MVP Guru

Re: MAC which are not configured in endpoint still get authenticated

In output/Alert what profile the user is getting, is it default profile or Allow all profile and also are you seeing device vendor/os details in endpoint repository ? have you enabled profile option in service?

 

Default all new device which are connecting to network, will automatcally get updated in endpoint repository table.

 

CPPM profile device using below methods

a.OnGuard/ActiveSync plugin
b.HTTP User-Agent
c.SNMP
d.DHCP
e.MAC OUI

 

Regards,
Pavan
If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: MAC which are not configured in endpoint still get authenticated

accesstrack-alert.PNGAlert msg

 

Hi,

Using default allow policy. Not used Profiling of device.The alert message has been attached. Actually in the test environment i am simulating the client using Spirent test centre , i dont use physical device for this purpose.

 

Thanks,

S.Muthukannan

 

Re: MAC which are not configured in endpoint still get authenticated

I would assume this issue comes from the fact that you test with Spirent.

 

It completely alters the MAC address format and ClearPass must be unable to perform lookup in the DB because of this.

 

This is how ClearPass receives the MAC in your situation  :

Radius:IETF:Calling-Station-Id = 0x2545000002 [%E...]

Also, why EAP MD5 ?

 

ACMP, ACCP, BCNE
Satori Internetworking
http://www.net-satori.ca/
Occasional Contributor II

Re: MAC which are not configured in endpoint still get authenticated

Hi,

 

Thanks for the reply.

Radius:IETF:Calling-Station-Id = 0x2545000002 [%E...]

what is the format do you expect in Aruba. or sample format how it should look can you please give us. From Spirent i can send MAC as wished.  Also Nokia ISAM 7360 presents calling station ID in Octet string.

We have issue with self certified TLS so using EAP.

 

Thanks,

S.Muthukannan.

Re: MAC which are not configured in endpoint still get authenticated

Format should normally be : AA-BB-CC-DD-EE-FF

thanks,
ACMP, ACCP, BCNE
Satori Internetworking
http://www.net-satori.ca/
Occasional Contributor II

Re: MAC which are not configured in endpoint still get authenticated

Hi,

Thanks. Then is the format presented by ISAM 7360 in hex format of 0xAABBCC... is the issue?. 

If so is there way in Aruba to match the mac-address in these hex format or to convert the incoming format to required format ?

 

Thanks,

S.Muthukannan

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: