Security

Reply
Highlighted
Contributor I

Mac-auth Wireless

Hi 

I have the following setup that I need help with please

I have a (wired) mac-auth service running that does the following:

profiles end device such as an AP after the AP is profiled:

- A Radius reply with a HPE user-role is sent to the switch that has a matching local user role

- Within the user role I have specficed the tagged and untagged   vlans needed for the Wi-Fi traffic and AP

Works well

 

The Wi-Fi is done via Aruba central including vlan and roles for Wi-Fi user (Mac-Auth for Guests)

Works well

 

Issue:

When I connect via the SSID through the 802.1x Mac-Auth port

the Wireless NIC of the end device also gets Mac authenticated 

and gets put into a user-role on the switch that prevents internet access

 

Is there away to only allow the wired NIC to get authenticated and not the end device Wireless NIC on that specific port on the switch where the AP is connected to?

 

thank you

 

 

 

 

 

 

 

 

 

 

Highlighted

Re: Mac-auth Wireless

Your wireless client will be assigned a role in ClearPass when it's authenticated. Lets call this role CPPM_WIRELESS_AUTH_ROLE.

 

In your wired 802.1X service enforcement tab, you could select the "Use cached Roles and Posture attributes from previous sessions" option which would allow you to use the CPPM_WIRELESS_AUTH_ROLE role to apply enforcement.

 

For example, you could have an enforcement condition in your wired 802.1X service enforcement policy like the following:

 

TIPS:Role EQUALS CPPM_WIRELESS_AUTH_ROLE > Allow access 


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: