Security

Reply
Occasional Contributor II

Re: Native supplicant to use MAB

ok thanks a lot .

 

we have both cisco and hpe switches ,

MVP
MVP

Re: Native supplicant to use MAB

On your Windows client you can allow unauthenticated acces in the 802.1x settings. When 802.1x fails windows allow access that wil be send its mac-address to the NAS. In fact there is first a 802.1x request, after this failed windows send an MAC request. Both authentications can be placed in different vlans.

 

Capture.JPG

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP - Was this post usefull, Kudos are welcome.
Guru Elite

Re: Native supplicant to use MAB

This simply allows access in the fallback VLAN. Supplicant have no control over MAC auth

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Native supplicant to use MAB

thanks 

 

i was wondering what below command on cisco switch will do

 

authentication event fail action next-method

 

 

Occasional Contributor II

Re: Native supplicant to use MAB

Thanks Marcel. I have only one vlan on the port . So making the changes on lan card settings make the supplicant go for Mac authentication bypass if dot1x fails ?
Occasional Contributor II

Re: Native supplicant to use MAB

I checked with Cisco and they said to enable the same settings on supplicant as mentioned by Marcel plus below command is needed on switch

authentication event fail action next-method

After that if dot1x fails . supplicant will switch to mab.

I don't know any corresponding command in hpe.

Anyone having any idea ?
Guru Elite

Re: Native supplicant to use MAB

I don’t know of a way to do that on HPE Comware. You may want ask in the switching forum.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP
MVP

Re: Native supplicant to use MAB

My HPE 5130 (comware7) looks likes this.

 

dot1x authentication-method eap
 dot1x quiet-period
 dot1x retry 1
 dot1x timer quiet-period 10
 dot1x timer tx-period 10

port-security enable

interface GigabitEthernet1/0/2
description "default edge interface"
port access vlan 2
broadcast-suppression 40
multicast-suppression 60
stp edged-port
poe enable
undo dot1x handshake
dot1x mandatory-domain yourdomain.com
undo dot1x multicast-trigger
port-security port-mode userlogin-secure-or-mac-ext
loopback-detection enable vlan 2
loopback-detection action shutdown

radius scheme cppm
 primary authentication "cppmpublisher-ip"
 primary accounting "cppmpublisher-ip"
 secondary authentication "cppmsubcriper-ip"
 secondary accounting "cppmsubcriper-ip"
 accounting-on enable
 key authentication cipher "key"
 key accounting cipher "key"
 user-name-format without-domain
#
radius scheme system
 user-name-format without-domain
#
domain yourdomain.com
 authentication lan-access radius-scheme cppm local
 authorization lan-access radius-scheme cppm
 accounting lan-access radius-scheme cppm
 authentication default radius-scheme cppm local
 authorization default radius-scheme cppm local
 accounting default radius-scheme cppm local
Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP - Was this post usefull, Kudos are welcome.
MVP
MVP

Re: Native supplicant to use MAB

But best you use a different vlan when mac-auth take place. else your 802.1x authentication dont make a lot of sence anymore

 

802.1x > corperate vlan

mac-auth > quarantain vlan (with restricions)

 

If mac-auth endup in the same vlan as your 802.1x isnt really safe.

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP - Was this post usefull, Kudos are welcome.
Contributor II

Re: Native supplicant to use MAB

Comware switches can be configured with parralel prcessing for mac and dot1x, you can add a delay timer if you would like. See a copy of the documentation here:

 

About parallel processing of MAC authentication and 802.1X authentication

This feature enables a port that processes MAC authentication after 802.1X authentication is finished to process MAC authentication in parallel with 802.1X authentication.

Make sure the port meets the following requirements:

  • The port is configured with both 802.1X authentication and MAC authentication and performs MAC-based access control for 802.1X authentication.

  • The port is enabled with the 802.1X unicast trigger.

When the port receives a packet from an unknown MAC address, it sends a unicast EAP-Request/Identity packet to the MAC address. After that, the port immediately processes MAC authentication without waiting for the 802.1X authentication result.

After MAC authentication succeeds, the port is assigned to the MAC authentication authorization VLAN.

  • If 802.1X authentication fails, the MAC authentication result takes effect.

  • If 802.1X authentication succeeds, the device handles the port and the MAC address based on the 802.1X authentication result.

The process sequence of 802.1X authentication and MAC authentication is configurable in other ways. For example, for the port to perform MAC authentication before it is assigned to the 802.1X guest VLAN, enable new MAC-triggered 802.1X guest VLAN assignment delay. For information about new MAC-triggered 802.1X guest VLAN assignment delay, see "Configuring 802.1X."

Restrictions and guidelines

To configure both 802.1X authentication and MAC authentication on the port, use one of the following methods:

  • Enable the 802.1X and MAC authentication features separately on the port.

  • Enable port security on the port. The port security mode must be userlogin-secure-or-mac or userlogin-secure-or-mac-ext.

    For information about port security mode configuration, see "Configuring port security."

For the parallel processing feature to work correctly, do not enable MAC authentication delay on the port. This operation will delay MAC authentication after 802.1X authentication is triggered.

Procedure
  1. Enter system view.

    system-view

  2. Enter interface view.

    interface interface-type interface-number

  3. Enable parallel processing of MAC authentication and 802.1X authentication on the port.

    mac-authentication parallel-with-dot1x

    By default, this feature is disabled.

----------Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE----------
Feel free to give kudos or accept as a solution!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: