Wired Intelligent Edge

Hi All,

 

I tested some scenario about 802.1x with EAP-TLS authentication on ArubaOS (Aruba 2530-8G) switch.

In the network topology, there is one ArubaOS switch, one ClearPass, one unmanaged switch (or IP phone), and two clients. One client has valid certificate and the other has not.

I connected an unmanaged switch to the switch port and I connected the notebook to the unmanaged switch. On the ArubaOS switch there is a user-based 802.1x configuration.

I successfully authenticated with my certificate and got the proper network access. But if I clone the authenticated notebook wired MAC address to the other notebook and I unplugged the cable from authenticated notebook and plugged to the other notebook where is the mac address is the same as the notebook of valid certificate I have access to the network without any certificate and authentication.

I know that the switch create each session for each device based on device MAC address.

Is there any solution about this?

 

Thank, David

This is indeed because of the switch will 'whitelist' the traffic based on the device MAC address.
Currently there is no solution for this issue.

Maybe in the future if the major OS vendors supports MACsec together with 802.1x.

Some phones support an 'EAP-Logoff' feature that sends a logoff over the 'internet' port as soon as the PC port is disconnected. The fundamental problem lies in the fact that wired 802.1X, unlike WPA2-Enterprise on wireless, doesn't have encryption linked to the authentication. Other mitigating controls, besides the EAP Logoff, to reduce the impact are to tune your reauthentication timers such that a rogue client is disconnected after an x amount of time, as well to configure profiling on ClearPass and trigger a reauthentication as soon as a change in fingerprint happens.