Hello
I try to configure 802.1x and MAC with clearpass. I have followed unp tutorial
! AAA:
aaa radius-server "CLEARPASS" host XXX.XXX.XXX hash-key "" hash-salt "" retransmit 3 timeout 10 auth-port 1812 acct-port 1813 vrf-name default
aaa device-authentication mac "CLEARPASS"
aaa device-authentication 802.1x "CLEARPASS"
aaa profile "CLEARPASS_AAA_PROF"
aaa profile "CLEARPASS_AAA_PROF" device-authentication 802.1x "CLEARPASS"
aaa profile "CLEARPASS_AAA_PROF" accounting 802.1x "CLEARPASS"
aaa profile "CLEARPASS_AAA_PROF" 802.1x re-authentication enable
aaa profile "CLEARPASS_AAA_PROF" radius mac-format calling-station-id delimiter none case lowercase
! DA-UNP:
unp dynamic-vlan-configuration
unp dynamic-profile-configuration
unp profile "GENOVA-FULL"
unp profile "GENOVA-USER"
unp profile "GENOVA-GUEST"
unp profile "GENOVA-FULL" map vlan 1
unp profile "GENOVA-USER" map vlan 1
unp profile "GENOVA-GUEST" map vlan 1
unp port 1/1/7-8 port-type bridge
unp port 1/1/7-8 direction both dynamic-service none
unp port 1/1/7-8 admin-state enable
unp port 1/1/7-8 802.1x-authentication
unp port 1/1/7-8 802.1x-authentication failure-policy mac
unp port 1/1/7-8 mac-authentication
MAC auth work as expected but 802.1x not. I can see this behaviour:
-> show unp user details
Port: 1/1/7
MAC-Address: 54:b2:03:85:95:1f
SAP = -,
Service ID = -,
VNID = -,
VPNID = -,
ISID = -,
VPLSID = -,
Access Timestamp = 01/01/1970 00:32:05,
User Name = [*******],
IP-Address = 172.19.52.12,
Vlan = 1,
Authentication Type = 802.1x,
Authentication Status = Authenticated,
Authentication Failure Reason = -,
Authentication Retry Count = 0,
Authentication Server IP Used = 192.168.152.112,
Authentication Server Used = CLEARPASS,
Server Reply-Message = -,
Profile = GENOVA-USER,
Profile Source = Auth - Pass - Server UNP,
Profile From Auth Server = GENOVA-USER,
Session Timeout = 0,
Classification Profile Rule = -,
Role = -,
Role Source = -,
User Role Rule = -,
Restricted Access = No,
Location Policy Status = -,
Time Policy Status = -,
QMR Status = Passed,
Redirect Url = -,
SIP Call Type = Not in a call,
SIP Media Type = None,
Applications = None,
Encap Value = -,
Rule ID = -,
Total users : 1
-> show unp user details
Port: 1/1/7
MAC-Address: 54:b2:03:85:95:1f
SAP = -,
Service ID = -,
VNID = -,
VPNID = -,
ISID = -,
VPLSID = -,
Access Timestamp = ,
User Name = 54:b2:03:85:95:1f,
IP-Address = 172.19.52.12,
Vlan = 1,
Authentication Type = -,
Authentication Status = -,
Authentication Failure Reason = -,
Authentication Retry Count = 0,
Authentication Server IP Used = -,
Authentication Server Used = -,
Server Reply-Message = -,
Profile = -,
Profile Source = -,
Profile From Auth Server = -,
Session Timeout = -,
Classification Profile Rule = -,
Role = -,
Role Source = -,
User Role Rule = -,
Restricted Access = -,
Location Policy Status = -,
Time Policy Status = -,
QMR Status = -,
Redirect Url = -,
SIP Call Type = Not in a call,
SIP Media Type = None,
Applications = None,
Encap Value = -,
Rule ID = -,
Those logs are taken 1sec after each. On my nas I can see access-accept and Filter-id correctly sended but seems and this process repeats 1 sec after 1 sec. The authentication status pass from in progress to to active then in progress again.
My suplicant use EAP-PEAP (without cert) and I use same unp profile for MAC Auth. Realy dont understand why have this kind of loop.
I have also try to create a port template but have broken mac auth and have the same behavior on 802.....
unp port-template "CPPM-PORT-TEMPLATE" redirect-port-bounce direction both aaa-profile "CLEARPASS_AAA_PROF" ap-mode secure admin-state enable
unp port-template "CPPM-PORT-TEMPLATE" 802.1x-authentication
unp port-template "CPPM-PORT-TEMPLATE" 802.1x-authentication failure-policy mac
unp port-template "CPPM-PORT-TEMPLATE" mac-authentication
This sw have 8.10.102.R01 version.
Have also tested radius response:
-> aaa test-radius-server CLEARPASS type authentication user dummyuser password password method pap
Testing Radius Server <192.168.152.112/CLEARPASS>
Access-Accept from 192.168.152.112 Port 1812 Time: 344 ms
Returned Attributes
Filter-ID = GENOVA-FULL
Any ideas ?
802.1X in loop
Re: 802.1X in loop
I think that I have read such things in the KB from ALE - solved with newer Software release. So my first idea to test the same with actual release again. We wait for 8.10R3 (still R2 ist actual).
Re: 802.1X in loop
I have the same problem with 8.8.xxx ver (sorry don't remember exact build). Have already update to 8.10 this afternoon...
Re: 802.1X in loop
I have found the KB article
Analysis:
The IP phone is initially authenticated via 802.1X to the voice VLAN and functions properly for a week. Suddenly, the IP phone sends an EAPOL packet to the switch. According to standard procedure, the switch will honour the EAPOL packet and start the authentication process. ClearPass then sends an authentication success message, which is received by the switch. However, once this success message is received, the switch sends a failure message because the same IP phone MAC address has already been learned in the voice VLAN. This led the phone to start the reauthentication.
When the phone initiates authentication, it also sends an LLDP packet, which triggers MAC authentication in the switch during the 802.1X process, which causes the switch to send an auth failure for ip phone 802.1X, which leads to an authentication loop.
Solution:
A fix is provided to honor the 802.1X process and not to initiate MAC authentication till the 802.1X process is complete. The fix is available in 8.10.R03
So you have to wait some days for this very new release
BR Silvio
Analysis:
The IP phone is initially authenticated via 802.1X to the voice VLAN and functions properly for a week. Suddenly, the IP phone sends an EAPOL packet to the switch. According to standard procedure, the switch will honour the EAPOL packet and start the authentication process. ClearPass then sends an authentication success message, which is received by the switch. However, once this success message is received, the switch sends a failure message because the same IP phone MAC address has already been learned in the voice VLAN. This led the phone to start the reauthentication.
When the phone initiates authentication, it also sends an LLDP packet, which triggers MAC authentication in the switch during the 802.1X process, which causes the switch to send an auth failure for ip phone 802.1X, which leads to an authentication loop.
Solution:
A fix is provided to honor the 802.1X process and not to initiate MAC authentication till the 802.1X process is complete. The fix is available in 8.10.R03
So you have to wait some days for this very new release
BR Silvio
Re: 802.1X in loop
It seems not to be related to my case because the supplicant is a Windows 11 device. By the way, I didn't try to leave only 801 and disable MAC authentication. Meanwhile, I have raised a TAC to support. Hope not need to wait for futher sw release 
Re: 802.1X in loop
have a few updateds.
I have openead a TAC with support and, after a very long time seems that there is a problem with vlan 1. My customer have a very simply network where management and production vlan are the same and this vlan is 1... Not secure, not flessibile, poor configured, it is what it is, have found it and don't think can change it all.
Btw after a very deep analysis :
"It appears like there is a loop in vlan-1 because of which we see that the packet is lopped back causing issues with 802.1x.
As discussed, the user is assigned to vlan-1 after successful authentication on port 1/1/10. The same user mac address is now learnt from the uplink 1/1/4. This is a mac-move, and the switch sends the EAP-Failure to the client. When the client receives the EAP-Failure he restarts the authentication and thus process keeps repeating."
Hmm... realy don't understand how a switch can learn a mac connected on his own port from uplink port. What I have missed ?
I have openead a TAC with support and, after a very long time seems that there is a problem with vlan 1. My customer have a very simply network where management and production vlan are the same and this vlan is 1... Not secure, not flessibile, poor configured, it is what it is, have found it and don't think can change it all.
Btw after a very deep analysis :
"It appears like there is a loop in vlan-1 because of which we see that the packet is lopped back causing issues with 802.1x.
As discussed, the user is assigned to vlan-1 after successful authentication on port 1/1/10. The same user mac address is now learnt from the uplink 1/1/4. This is a mac-move, and the switch sends the EAP-Failure to the client. When the client receives the EAP-Failure he restarts the authentication and thus process keeps repeating."
Hmm... realy don't understand how a switch can learn a mac connected on his own port from uplink port. What I have missed ?
Re: 802.1X in loop
If there is still the loop between two or more switches than there is the mac-move between both the ports: access to client and uplink.
If you haven't found the loop yet and because the bad design you should enable loopback-detection at all access ports (not the known uplinks between the switches). Also lbd for remote-origin at the same ports. And set the transmission timer to 5. All means at all switches too.
So you can see the violation - to find a loop. And you prohibit the network for new loops.
BR Silvio
If you haven't found the loop yet and because the bad design you should enable loopback-detection at all access ports (not the known uplinks between the switches). Also lbd for remote-origin at the same ports. And set the transmission timer to 5. All means at all switches too.
So you can see the violation - to find a loop. And you prohibit the network for new loops.
BR Silvio
