To catch you up to speed quickly, I have a six-part blog series that will show you how to set up the CL 3.7.5 campus design feature: Multi-Domain Authentication. 

We’ll cover it all: Wired 802.1X Authentication using Aruba ClearPass, Wired MAC Authentication using Aruba ClearPass, Multi-Domain Authentication using Aruba ClearPass, Wired 802.1x using Cisco ISE, Wired MAC Authentication using Cisco ISE, and Multi-Domain Authentication using Cisco ISE.

In the last blog, I showed you how to enable wired 802.1X authentication in Cumulus Linux 3.7.5+ using Aruba ClearPass 6.7.x. In this second guide, I’ll be sharing is how to enable wired MAC Authentication in Cumulus Linux 3.7.5+ using Aruba ClearPass 6.7.x.

Keep in mind that this step-by-step guide assumes that you have already performed an initial setup of Aruba ClearPass.

Aruba ClearPass Configuration:

1. Add the Cumulus Switch to ClearPass

First, we are going to add this specific Cumulus Network switch to ClearPass. Go to the following:

Configuration > Network > Devices. Click “+Add” in the top right-hand corner

Fill in the appropriate IP Address, Description, and Shared Secrets. For simplicity sake, set the “Vendor Name” to “Cisco.”

2. Adding the Cumulus Switch to a Device Group

Configuration > Network > Device Groups. Click “+Add” in the top right-hand corner

We are going to move the “Cumulus OOB SW” from the left-hand, “Available Devices” column, over to the “Selected Devices” column.

Click the “Save” button.

All future Cumulus switches can be added to this Device Group and will inherit all of the upcoming configuration elements.

3. Add a Dynamic VLAN Enforcement Profiles

Configuration > Enforcement > Profiles. Click “+Add” in the top right-hand corner

On the “Profile” tab, select “VLAN Enforcement” from the “Template” drop down.

On the “Attributes” tab, click the “Enter VLAN” text and enter the numeric value for a VLAN on the switch

Here, I added the value “36” as the “Tunnel-Private-Group-Id:”

4. Add an Enforcement Policy

Configuration > Enforcement > Policies. Click “+Add” in the top right-hand corner

Select “RADIUS” as the “Enforcement Type.”

Select “[Deny Access Profile]” as the “Default Profile” from the drop-down menu.

On the “Rules” tab, we are going to create a specific rule for the VoIP phone with the Dynamic VLAN.

Set the following:

  •  Type = “Authentication”
  •  Name = “Username”
  • Operator = “EQUALS_IGNORE_CASE”
  • Value = <Wired MAC Address of Device>

A MAC Authenticated device will use its MAC Address as the username for the connection.

Under the “Profile Names”, select the “PoC – Cumulus Dynamic VLAN 36” that was created in the previous step.

Click the “Save” button in the bottom right-hand corner.

The Enforcement Policy should look like the above. Click the “Save” button in the bottom right-hand corner to continue.

5. Adding a wired MAC Authentication Service

Configuration > Service. Click “+Add” in the top right-hand corner

Set the following:

  • Type Dropdown = “MAC Authentication”
  • Name = “PoC – Cumulus Wired MAC Authentication”

Under the “Service Rules”, add the following:

  • Type = “Connection”
  • Name = “NAD-IP-Address”
  • Operator = “BELONGS_TO_GROUP”
  • Value = “Cumulus-Switches”

The “Value” is the name of the Device Group that was added in Step #2 above.

Under the “Service Rules”, remove the following:

  •  “Wireless-802.11 (19)” value from line #1 that contains “Radius:IETF : NAS-Port-Type”
  • The entry that contains “Radius:IETF : Service-Type : Belongs_To : Login-User (1), Call_Check (10)”

On the “Authentication” tab, add “[Allow All MAC Auth]” and remove “[MAC AUTH]” from the “Authentication Methods”

On the “Enforcement” tab, select the “PoC – Cumulus MAC Authentication Policy” that was created in step #4.

Click the “Save” button in the bottom right-hand corner.

Cumulus Linux wired MAC Authentication setup:

1. Testing an interface

I am going to be using “swp11” to test wired MAC Authentication.

net add interface swp11
net add bridge bridge ports swp11
net commit

2. Enabling wired MAC Authentication on swp11

Here are the following NCLU commands that I entered to configure wired MAC Authentication:

net add dot1x radius server-ip 10.10.102.252 vrf mgmt
net add dot1x radius client-source-ip 192.168.255.100
net add dot1x radius shared-secret cumulus11
net add dot1x send-eap-request-id
net add dot1x dynamic-vlan
net add interface swp11 dot1x mab
net commit

3. Modify the hostapd.conf file

The next step is to change the bottom two values in the /etc/hostapd.conf file from “=1” to “=0”

radius_das_require_event_timestamp=0
radius_das_require_message_authenticator=0

Restart the hostapd.service after making the above changes with the following command:

sudo systemctl restart hostapd.service

Verification and Troubleshooting

Plug in a wired VoIP phone into port swp11. Within 3CX, the SIP VoIP server in this test, the phone has come up and registered with the system:

On the Cumulus switch, the following commands will show the status of the swp11 interface:

net show dot1x interface swp11

Adding the “details” command will provide more information about the connected device:

net show dot1x interface swp11 details

Notice that the “Status Flags” report that this connection is using a “[DYNAMIC VLAN]” which is being sent from the ClearPass server. The “Server Flags” are also reporting “[MAB]”, which is the abbreviation for MAC Authentication Bypass.

Aruba ClearPass also provides a view of the MAC Authenticated connection through the Access Tracker:

Monitoring > Live Monitoring > Access Tracker

Clicking on the top entry within Access Tracker will open up the “Request Details” window

  1. Service – The request is hitting the “PoC – Cumulus Wired MAC Authentication” service that we created in ClearPass Step #5
  2. Authentication Method – ClearPass is reporting MAC-AUTH
  3. Enforcement Profiles – This service request is sending the “PoC – Cumulus Dynamic VLAN 36” down to the Cumulus Switch

Let’s examine the Enforcement Profile by clicking on the “Output” tab in the “Request Details”

  1. Enforcement Profile – We are sending the Dynamic VLAN 36 profile that we created in ClearPass Step #4
  2. Radius:IETF:Tunnel-Private-Group-Id – We are sending VLAN value “36” down to the Cumulus Switch as a Dynamic VLAN.

For further wired MAC Authentication802.1x troubleshooting, the link in the 802.1x Interface docs page is an invaluable resource.

In the next blog, we’ll move on to Multi-Domain Authentication using Aruba ClearPass. As always, be sure to take a look at some of the other tutorials we offer engineers where you can learn basic open networking commands and configurations, all the way up to advanced configurations. Wondering where a great place to start it? Check out our how-to videos.