Security

Reply
New Contributor

mac auth

Hi All
we just configure a new clearpass 6.8 to do 802.1x and mac auth (cisco switches)
802.1x work fine with AD.
the mac auth work only if i first add manually the mac to identity source like static-host-list
i am looking for a way to do this:
allow all the mac addresses (regardless of auth source) in the company by mac auth for a period of time (policy that permit any)
after a week put all the mac-address in a static-host-list and use it as an authentication source.
from now on new mac addresses will be rejected
Thanks
Yoram

Re: mac auth

Is there a reason you need MacAuth for the devices doing 802.1x? MacAuth is not a strong security mechanism (mac can be spoofed easily) and is usually added as an option only for the devices that cannot do 802.1x, like old printers and scanners or providing guest access on "colorless" ports.

If you want to identify the device performing 802.1x, there are other options like using machine auth in addition to user auth or create a custom attribute and check against it.

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
New Contributor

Re: mac auth

hi

The mac auth is only for devices that do not support 802.1x.

On the windows machine we use 802.1x with certificate

 

find the way by using :Allow all mac auth

Thanks

 

Contributor I

Re: mac auth

Before performing any authentication I first, setup Passive and Active Profiling on CPPM. This populates the EndPoint Database with all the devices on your network.

 

Then you can set those EndPoints you want to allow access using MACAUTH to "Known" devices then only allow Known devices onto the network.

 

The devices are also profiled so you can use any of the profile and fingerprint information to further control access . i.e. If the device is a printer put it in the "Printer" VLAN.

 

Regards,

Nigel

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: