I agree with @ahollifield. The reason you see this is because of the following:
- The computer has been configured with both computer and user authentication
- Authentication method is EAP-TLS
- Users doesn't have smart cards
- When Windows perform 802.1x authentication to the network without a user logged in, the computer certificate is utilized
- When a user is logged into Windows the user certificate should be utilized
- As the user doesn't have a certificate it's not possible to perform a 802.1x authentication for the user
- Thus the device is not authenticated and the switch tries to perform a MAC authentication
- As the MAC address should not be allowed to authenticate it's expected to get a Reject
- During the time the you see the Rejects the client is able to retrieve a certificate for the user, maybe through the WLAN or you have a last resort VLAN configured in the switch for unauthenticated clients
- When the user have the certificate the 802.1x authentication is successful
Investigate how the clients can get the certificate. Because it should not be able to do so in your current situation, unless you have configured a way to handle it.
Maybe someone else have implemented a smart workaround already.
One way to solve this is to enable is to enable "Use Cached Results" in the Enforcement tab of the MAC authentication service.
In the enforcement policy create a rule like this:
Assign the same enforcement profiles as in the 802.1x Service for the computer account.
The settings above will implement the following:
When a computer with a valid certificates authenticates, ClearPass will automatically assign the role [Machine Authenticated].
If the user logging in doesn't have a valid certificate the 802.1x authentication will fail, causing a MAC authentication to occur.
During this MAC authentication ClearPass can now utilize the roles from the previous successful machine authentication and grant access based on that role. By default the [Machine Authenticated] role is cached for 24 hours. The MAC authentication service must have the authentication method [Allow All MAC AUTH] for this to work, or the MAC address must be marked as Known for the [MAC AUTH] method to work.
There are also other ways to solve this, for example with custom attributes and writing a time stamp during the 802.1x authentication and only allow MAC authentication for a short time. Maybe 20 minutes or so.
Also make sure your switches doesn't send both 802.1x and MAC authentications to ClearPass at the same time.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Mar 31, 2025 05:56 PM
From: ahollifield
Subject: New User Login Fails 802.1x Authentication
No. This is probably because computer does not have a certificate for that user yet. Why not use TEAP?
Original Message:
Sent: Mar 31, 2025 05:07 PM
From: gmann101
Subject: New User Login Fails 802.1x Authentication
Hi everyone. I am running into an issue within Clear Pass where any time a user signs into a PC which they have not previously signed into, they are unable to authenticate via a 802.1x service for approximately 10 minutes, and they hit a MAB service that I have defined. After 10 minutes, the user successfully authenticates:
Once the user signs out/in of the PC, on any subsequent sign-in's, the 802.1x authentication is almost instant. Could this issue be occurring due to the configuration thresholds that are set on the switch port?
Please advise.