Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

AirGroup with CPPM Enforcement Issues

This thread has been viewed 0 times

  • 1.  AirGroup with CPPM Enforcement Issues

    Posted Apr 22, 2015 10:28 AM

    Version Information:

    Clearpass: 6.5.0.71095

    Controller: Aruba 7220, Software 6.3.1.14

     

    Details:

    I registered three AppleTV devices (see one configuration in image below)

    Screenshot from 2015-04-22 10:15:14.png

    I have manually associated them to both controllers using the options availabe in AirGroup Diagnostics. Both of my controllers appear to be configured properly based on the Config Status in CPPM Guest saying OK.

     

    However, no AppleTVs show up when trying to use AirPlay. If I remove enforce CPPM Registration then all AppleTVs show up.

     

    I ran the following command on the controllers:

    show airgroup cppm entries

     

    The results I get back are:

    ClearPass Guest Device Registration Information
    -----------------------------------------------
    Device device-owner shared location-id AP-name shared location-id AP-FQLN shared location-id AP-group shared user-list shared role-list CPPM-Req CPPM-Resp
    ------ ------------ -------------------------- -------------------------- --------------------------- ---------------- ---------------- -------- ---------
    Num CPPM Entries:0

     

    -----

    This leads me to believe that there is an issue with how I created the devices using clearpass guest.

     

    In the end I would like to create all the AppleTVs on the IT side of the house (100 or so) and enable them to be used based on the vlan location or role in CPPM.

     

    Can anyone offer the best document to look at to ensure the configuration is setup or offer some additional specific troubleshooting steps?

     

    Thanks,

     

    ~Indigo



  • 2.  RE: AirGroup with CPPM Enforcement Issues

    EMPLOYEE
    Posted Apr 22, 2015 10:31 AM

    Hi Indigo,

     

    Do you see AirGroup Authorization requests in Access Tracker in CPPM? If so, check the output. Make sure the appropriate attributes are being sent back to the controller. The fact that you don't see anything in show airgroup cppm entries leads me to believe that the AirGroup auth requests are not hitting ClearPass.

     



  • 3.  RE: AirGroup with CPPM Enforcement Issues

    Posted Apr 22, 2015 11:19 AM

    I do see 'rejects' in access tracker. What should I be checking further. The most telling thing I can see is "Failed to classify request to service" for the error message.

     

    Authentication Method: Not Applicable

     

    When I look at services I have:

    Services - [AirGroup Authorization Service] - this record is not an editable record. (see below for current settings)

    airgroup-service1.png

    airgroup-service2.png



  • 4.  RE: AirGroup with CPPM Enforcement Issues

    EMPLOYEE
    Posted Apr 22, 2015 11:25 AM

    Can you paste a screenshot from one of those failed authentications? I think the service classification is based on AOS 6.4 code. I seem to remember something changing. Look at the incoming RADIUS attributes in the failed auth in Access Tracker. They probably don't match the Calling-Station-Id = AirGroup and Service-Type 17.

     



  • 5.  RE: AirGroup with CPPM Enforcement Issues

    Posted Apr 22, 2015 11:35 AM

    I did an export; the logs are pasted below:

     

    Request Details Summary -
     Session Identifier: W00000007-01-5537a00e
     Date and Time: Apr 22, 2015 09:20:14 EDT
     Username: 1C-1A-C0-69-3F-66
     End-Host Identifier: -
     Access Device IP/Port: -
     Audit Posture Status:
     System Posture Status:
     Login Status: REJECT

    Policies Used -
     Service:
     Authentication Method: Not applicable
     Authentication Source:
     Authorization Source:
     Roles:
     Enforcement Profiles:
     Service Monitor Mode:

    Alerts -
     Error Code: 204
     Error Category: Authentication failure
     Error Message: Failed to classify request to service
     Alerts for this Request -
       WebAuthService: ServiceClassification failed {No service matched}

     


    Request log details for session: W00000007-01-5537a00e
    Time     Message
    2015-04-22 09:20:14,643     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065091 h=223 r=W00000007-01-5537a00e] ERROR Core.ServiceReqHandler - doServiceClassification: Error. Ret code=0 response list size=0
    2015-04-22 09:20:14,647     [ajp-apr-8009-exec-3] R:W00000007-01-5537a00e] ERROR com.avenda.tips.webauthservice.WebAuthHandler - Failed to perform webauth, reason=FailedToClassifyRequestToService
    2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO TAT.TagAttrTableUtil - buildTagAttrTableInput: Connection:NAD-IP-Address is not found
    2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr 1c1ac0693f66
    2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 0 entity id = 29
    2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] WARN Common.TagDefinitionCacheTable - Failed to build TagDefinitionMap. Unknown NadClient for Id=0
    2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=0|entity=Device
    2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
    2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
    2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
    2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
    2015-04-22 09:20:14,661     [RequestHandler-1-0x7f53803e1700 h=8589340 c=W00000007-01-5537a00e] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_OUTPUT_ERROR Started ***
    2015-04-22 09:20:14,661     [RequestHandler-1-0x7f53803e1700 h=8589340 c=W00000007-01-5537a00e] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **
    2015-04-22 09:20:14,661     [RequestHandler-1-0x7f53803e1700 h=8589341 c=W00000007-01-5537a00e] ERROR Core.PETaskOutputPolicyRes - computeAndOutputResponse: Failed get service config
    2015-04-22 09:20:14,661     [RequestHandler-1-0x7f53803e1700 r=W00000007-01-5537a00e h=8589340 c=W00000007-01-5537a00e] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **
    2015-04-22 09:20:14,661     [RequestHandler-1-0x7f53803e1700 r=W00000007-01-5537a00e h=8589340 c=W00000007-01-5537a00e] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_OUTPUT_ERROR Completed ***
    2015-04-22 09:20:14,665     [ajp-apr-8009-exec-3] R:W00000007-01-5537a00e] ERROR com.avenda.tips.webauthservice.policy.ChainedPolicyClient - Policy evaluation request failed with statusCode=StatusInvalidParam
    2015-04-22 09:20:14,666     [ajp-apr-8009-exec-3] R:W00000007-01-5537a00e] ERROR com.avenda.tips.webauthservice.WebAuthHandler - Failed to perform chained policy-evaluation and enfProfiles



  • 6.  RE: AirGroup with CPPM Enforcement Issues

    Posted Apr 22, 2015 12:30 PM

    The AppleTVs are connected to the wired network - is that an issue?



  • 7.  RE: AirGroup with CPPM Enforcement Issues

    EMPLOYEE
    Posted Apr 22, 2015 01:03 PM
    Yes. The controller needs visibility to the device. You can either tag your wired VLANs to the controller or if you are routing at the edge, you can create a GRE tunnel from then switch to the controller and redirect mDNS and SSDP traffic down the tunnel.


    Thanks,
    Tim


  • 8.  RE: AirGroup with CPPM Enforcement Issues

    EMPLOYEE
    Posted Apr 22, 2015 01:08 PM

    Adding to Tim's comment...

     

    On an untrusted port with a AAA profile which has a default role of Authenticated.

     

     



  • 9.  RE: AirGroup with CPPM Enforcement Issues

    Posted Apr 22, 2015 01:11 PM

    The router has all the vlans and if I go to the AirGroup item on the dashboard tab I find it listed as an AirGroup Server. If the controller did not have the device I would expect it not to be shown if I turn off cppm-enforcement; is that an accurate expectation?

     

    Some devices are connected via Cisco switches -- not sure how to make those ports trusted. The devices attached to the APs ENET 1 are on 'trusted' ports.



  • 10.  RE: AirGroup with CPPM Enforcement Issues

    EMPLOYEE
    Posted Apr 22, 2015 01:36 PM

    I think to get the functionality that you are looking for, you will need to upgrade to AOS 6.4.2.x. Back in 6.3.x.x code, I don't think we triggered an AirGroup Auth unless we saw the ATV either on the wireless or on an untrusted port. I believe (check the release notes and user guides) we added this functionality into the 6.4.2.x code stream, may have been 6.4.1.x.

     



  • 11.  RE: AirGroup with CPPM Enforcement Issues

    Posted Apr 22, 2015 01:38 PM

    Zach:

     

    Thanks, I will look to upgrade the controllers then.