Security

Reply
Contributor I

Why MAC authentication request from dot1x enabled macine

Hi,

We have enabled dot1x settings through Group Policy on Windows machines and working fine both Machine and User authentication. We have added profile "Update endpoint as Known" and adding attribute Domain-machine=yes for machine authenticated devices. Sometimes we are observing MAC authentication request from dot1x enabled machines and in RADIUS request we can see Domain-machine=Yes and Known endpoint. Why this behaviour for dot1x enabled machines. Please suggest any changes required.

 

Thanks,

Yugandhar.

MVP Guru

Re: Why MAC authentication request from dot1x enabled macine

That is normal if you enabled both 802.1X and MAC authentication on the same port. Depending on the switch brand, type, and configuration, you will see either:

- a MAC authentication

- an 802.1X authentication

- a MAC authentication and after that an 802.1X authentication

- an 802.1X authentication and if there is no response from the client a MAC authentication

- a MAC and an 802.1X authentication at the same time

 

The ArubaOS switches will, by default if both MAC and 802.1X (authenticator) are configured on the same port fire both simultaneous and if the 802.1X succeeds that will take precedence and the MAC authentication result is ignored.

 

Please note that a client does not take any action in triggering a MAC authentication. If the switch sees a new MAC address, the switch will trigger the authentication. That is why there is no support needed for MAC authentication on the client-side, and the MAC auth method works for any type of devices as a fallback of 802.1X.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Contributor I

Re: Why MAC authentication request from dot1x enabled macine

Hi Robers, Thank you for your response. We are using Juniper EX switches and as per Juniper, first, it will try for 802.1x and if it fails then will try for MAC RADIUS authentication. Below is the statement from Juniper article.

 

"You can configure both 802.1X and MAC RADIUS authentication methods on the interface. In this case, the switch first attempts to authenticate using 802.1X, and if that method fails, it attempts to authenticate the end device using MAC RADIUS authentication."

 

My question is, If the endpoint is dot1x capable and already authenticated using 802.1x then later sometime why it is trying to do MAC authentication that I am not able to understand.

 

Is it because the machine is in sleep mode or anything else?

 

Thanks,

Yugandhar.

MVP Guru

Re: Why MAC authentication request from dot1x enabled macine

There are some possible explanations, where it is likely that the 802.1X supplicant on the client is not responding. That could be for example during boot. If during boot, the system is trying to use the network before the supplicant is active, you can get into that situation. For example, if your PC tries to do a PXE network boot. Systems in sleep may indeed also result in that situation. Most switches will return to 802.1X as soon as the client starts to initiate authentication. If you really want to know you will probably need to correlate the logs from your client and switch/ClearPass/RADIUS; good chances you will find that the system is booting or it has something to do with sleep mode.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Contributor I

Re: Why MAC authentication request from dot1x enabled macine

Hi Robers, I observed the below behavior on MAC authentication request from dot1x enabled machine. Whenever the connected machine access remotely i.e. RDP then the machine is trying for MAC authentication and when the machine is in idle or sleep condition. Is it normal behavior and do we need any additional configuration to avoid this behavior. Please suggest. Thanks, Yugandhar.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: