Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Clearpass 802.1X User Auth plus MAC Authz

This thread has been viewed 3 times

  • 1.  Clearpass 802.1X User Auth plus MAC Authz

    Posted Dec 12, 2019 03:48 PM

    Read a few topics here and still not quite able to get what I need working.

     

    I have Clearpass joined to AD and an 802.1X network authenticating via AD just fine.

     

    I have a mac_create.php portal where I can register a device and assign a role. Device goes into the Managed Devices. If I Mac auth this device the authorization attributes come through.

     

    What I'm trying to get to happen is a VLAN or role specification based on, I don't really care who the user who authenticates is, as long as they authenticate successfully, but then check the connecting device's MAC Address against the device repository for the device's appropriate role.

     

    I get a successful 802.1X user authentication but access tracker never shows the device's authz attributes, I assume because i'm authenticating a user not the device. Not really sure where I'm going wrong.

     

    I've tried using both AD and the guest device repository as authentication sources, but having the guest device repository in there seems to break my user auth, and having guest user, or guest device, or any of thsoe in authorization, again, i'm not pulling the device's authorization info during the auth.

     

    This is in an MM Based AOS 8 environment.

     

    Please help



  • 2.  RE: Clearpass 802.1X User Auth plus MAC Authz

    Posted Dec 12, 2019 03:58 PM
    Did you add the guest device repository as an authorization source ?

    Can you share your role mapping rules and enforcement policies?



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 3.  RE: Clearpass 802.1X User Auth plus MAC Authz

    Posted Dec 12, 2019 04:27 PM

    Yes I've added Guest Device Repo as both authen and as authorization separately.

     

    See attached images; under the access tracker under input, the guest device repository does not show attributes

     

     

     



  • 4.  RE: Clearpass 802.1X User Auth plus MAC Authz
    Best Answer

    Posted Dec 12, 2019 04:40 PM
    Change your role mapping to use [Guest Device Repository] = Role ID = “role id” = “Tips role” instead of GuestUser



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 5.  RE: Clearpass 802.1X User Auth plus MAC Authz

    Posted Dec 12, 2019 05:32 PM

    I could've sworn I'd tried that. I'm wondering, though, why the information would not have shown up in access tracker under input having had the guest device repository listed? I would have thought I would have at least seen potential authorization information that I could've gleaned appropriate config parameters from. Is that incorrect?



  • 6.  RE: Clearpass 802.1X User Auth plus MAC Authz

    Posted Dec 12, 2019 08:59 PM

    The [Guest Roles] role mapping should be (GuestUser:Role ID  EQUALS  "role id") but when you define it in your 802.1X role mapping , you will need to use (Authorization:[Guest Device Repository]:Device Role ID  EQUALS  "role id")

     

    See below :

    2019-12-12 20_43_56-ClearPass Policy Manager - Aruba Networks.png2019-12-12 20_51_57-ClearPass Policy Manager - Aruba Networks.png2019-12-12 20_44_48-ClearPass Policy Manager - Aruba Networks.png