09-12-2014 12:53 PM
I'm hoping someone out there can help me with my particular problem. Last year, we told Brocade we'd be implementing ClearPass and asked if their hardware would be compatible with a scenario wherein we try 802.1x first, Mac auth second, then failing over to a VLAN third. We were assured their hardware does work. I've been unable to make this work as of yet.
Technically, I can get it to do both in a very limited way. But it's usually Mac auth first, THEN 802.1x. Second to that, when I have both configured, it always defaults to sending it's login information as the mac address of the device via 802.1x. This of course confuses my 802.1x profiles, because I'm looking for domain systems with login credentials to pass over to our domain controller.
I can get both to work fine separately, but when I try to combine - they just don't seem to play well together. Any input, advice, etc. would be greatly appreciated. And if you need additional info, let me know.
03-17-2015 09:26 AM
I know this post is from a while ago now but I have been looking at a similar set-up.
This seems to work using FastIron switches on 08.0.20 code but I cannot get around the constant MAC authentication requests sent from the switch before 802.1x is used. There is a RADIUS VSA that can be set to tell the switch to try 802.1x but I believe because Clearpass sends a RADIUS Access-Reject message the switch doesn't take into account the VSA passed back.
Having said that when 802.1x is used it works without issue.
Have you had any success in reducing the amount of MAC authentication requests sent to Clearpass before 802.1x is used? I cannot seem to find any timers relating to this.