Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

unauthorized users have network access due to switch fail-open

This thread has been viewed 11 times

  • 1.  unauthorized users have network access due to switch fail-open

    Posted Apr 02, 2017 03:42 AM

    I configured the switch to fail-open if the communication with CPPM lost, but I got the unauthorized users have access to network due to this setting.

     

    If someone have 802.1x enabled on his adapter and connected his PC to network, then the conencted switch port will start looking for the authentication server, but since the authentication will fail for this user, then and due to the "fail-open" action in switch port, the port will be assigned to the data VLAN and he will have network access.

     

    So is this logic, or it must be setup in different way?



  • 2.  RE: unauthorized users have network access due to switch fail-open

    EMPLOYEE
    Posted Apr 02, 2017 08:30 AM
    What type of switch?


  • 3.  RE: unauthorized users have network access due to switch fail-open

    Posted Apr 02, 2017 08:50 AM

    We have Juniper switches as below port settings

     

    set protocols dot1x authenticator interface ge-0/0/31.0 supplicant multiple
    set protocols dot1x authenticator interface ge-0/0/31.0 transmit-period 5
    set protocols dot1x authenticator interface ge-0/0/31.0 mac-radius
    set protocols dot1x authenticator interface ge-0/0/31.0 reauthentication 86000
    set protocols dot1x authenticator interface ge-0/0/31.0 server-timeout 3
    set protocols dot1x authenticator interface ge-0/0/31.0 maximum-requests 3
    set protocols dot1x authenticator interface ge-0/0/31.0 server-reject-vlan Quarantine-VLAN
    set protocols dot1x authenticator interface ge-0/0/31.0 server-fail permit



  • 4.  RE: unauthorized users have network access due to switch fail-open

    Posted Apr 02, 2017 09:01 AM

    when a guest "unauthorized" who has .1x enabled in adapter connect to switch port, I can see in CPPM logs sending deny access message to switch, but the switch port dot1x logs show that port inherited the switch port "fail-open" action  



  • 5.  RE: unauthorized users have network access due to switch fail-open

    Posted Apr 02, 2017 10:20 AM

    Is this controlled through ClearPass or its totally related to switch?

     

    If its related to clearpass, then is the interchange between reject and drop actions for the unauthorized users going to make difference?



  • 6.  RE: unauthorized users have network access due to switch fail-open

    EMPLOYEE
    Posted Apr 02, 2017 10:24 AM
    It's a switch configuration


  • 7.  RE: unauthorized users have network access due to switch fail-open

    Posted Apr 10, 2017 02:51 AM

    Hi,

     

    Configure 802.1x with MAB auth and set deny role as default for mac auth poicy. With above configuration switch will attempt to authenticate client with 802.1x and if client dont have 802.1x setting then it look for mac auth so CPPM will assign deny role as per policy. If cppm connection lost with NAD then switch will assign failed open vlan to client.

     

    Regards,

    Milind Yashwantrao