Security

 View Only
last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass MAC-based authentication Intercom device

This thread has been viewed 13 times

  • 1.  Clearpass MAC-based authentication Intercom device

    Posted 19 days ago
    Hi everyone,
     
    I'm encountering an issue that some of you might have faced, and I'm hoping to find a solution here.
    We have an Intercom device connected to an Aruba 2930F switch with MAC-based authentication enabled on the port.
    The device has two components: the intercom (voice) and a camera. 
     
    When I disable authentication on the port, both MAC addresses for the intercom and the camera appear, and everything works fine, untagged port.
    However, when I enable authentication, only the MAC address for the voice part is seen after authentication completes.
    Consequently, the camera doesn't work when we initiate a call (which redirects to a handheld device where we should see the camera feed).
    An authentication request for the camera's MAC address appears after some time, indicating it has been authenticated.
     
    I suspect the camera keeps shutting down, preventing it from being authenticated in time.
    When we initiate a call the camera seems to connect and comminucate, but it is not active all the time, and the authentication process for the camera takes too long it seems.
     
    Has anyone experienced a similar problem? If so, how did you resolve it?
     
    Thanks in advance for your help!
     
    port configuration:
       aaa port-access authenticator client-limit 32
       aaa port-access mac-based unauth-period 30
       aaa port-access mac-based unauth-vid 5
       aaa port-access auth-order authenticator mac-based
       aaa port-access auth-priority authenticator mac-based
     
    Role configuration:
     User Role Information
     
       Name                              : *DUR_role-name-3060-3
       Reauthentication Period (seconds) : 0
       Cached Reauth Period (seconds)    : 0
       Logoff Period (seconds)           : 0
       Untagged VLAN                     : 70
       Tagged VLANs                      :                                                        
       Captive Portal Profile            : 
       Policy                            : 
       Secondary Role Name               : 
       Device Attributes                 : Enabled
         PoE Allocation By Class         : Disabled
         PoE Priority                    : low
         Admin-edge-port                 : Enabled
         Port-mode                       : Disabled


  • 2.  RE: Clearpass MAC-based authentication Intercom device

    Posted 15 days ago

    Hi

    Yes, I have seen similar issues on the same type of device. The results have been a bit inconsistent, depending on hardware version I guess. For my customers we have been running with Downloadable User Roles (DUR) on the switch. One type of device I solved the issue by setting the voice MAC address in a specific role and in the DUR configure the port with port mode enabled. This way allowing the video MAC address to access the network without further authentication.

    But in other cases I have been forced to make an exception from the authentication on the given port, as there are no MAC address presented on the port if authentication is enabled.

    From my experience this type of device, some key safes and very quite printers are among the hardest to get to work with authentication on the switch port.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message