Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎04-22-2015

AirGroup with CPPM Enforcement Issues

Version Information:

Clearpass: 6.5.0.71095

Controller: Aruba 7220, Software 6.3.1.14

 

Details:

I registered three AppleTV devices (see one configuration in image below)

Screenshot from 2015-04-22 10:15:14.png

I have manually associated them to both controllers using the options availabe in AirGroup Diagnostics. Both of my controllers appear to be configured properly based on the Config Status in CPPM Guest saying OK.

 

However, no AppleTVs show up when trying to use AirPlay. If I remove enforce CPPM Registration then all AppleTVs show up.

 

I ran the following command on the controllers:

show airgroup cppm entries

 

The results I get back are:

ClearPass Guest Device Registration Information
-----------------------------------------------
Device device-owner shared location-id AP-name shared location-id AP-FQLN shared location-id AP-group shared user-list shared role-list CPPM-Req CPPM-Resp
------ ------------ -------------------------- -------------------------- --------------------------- ---------------- ---------------- -------- ---------
Num CPPM Entries:0

 

-----

This leads me to believe that there is an issue with how I created the devices using clearpass guest.

 

In the end I would like to create all the AppleTVs on the IT side of the house (100 or so) and enable them to be used based on the vlan location or role in CPPM.

 

Can anyone offer the best document to look at to ensure the configuration is setup or offer some additional specific troubleshooting steps?

 

Thanks,

 

~Indigo

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: AirGroup with CPPM Enforcement Issues

Hi Indigo,

 

Do you see AirGroup Authorization requests in Access Tracker in CPPM? If so, check the output. Make sure the appropriate attributes are being sent back to the controller. The fact that you don't see anything in show airgroup cppm entries leads me to believe that the AirGroup auth requests are not hitting ClearPass.

 

Thanks,

Zach Jennings
Occasional Contributor I
Posts: 6
Registered: ‎04-22-2015

Re: AirGroup with CPPM Enforcement Issues

I do see 'rejects' in access tracker. What should I be checking further. The most telling thing I can see is "Failed to classify request to service" for the error message.

 

Authentication Method: Not Applicable

 

When I look at services I have:

Services - [AirGroup Authorization Service] - this record is not an editable record. (see below for current settings)

airgroup-service1.png

airgroup-service2.png

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: AirGroup with CPPM Enforcement Issues

Can you paste a screenshot from one of those failed authentications? I think the service classification is based on AOS 6.4 code. I seem to remember something changing. Look at the incoming RADIUS attributes in the failed auth in Access Tracker. They probably don't match the Calling-Station-Id = AirGroup and Service-Type 17.

 

Thanks,

Zach Jennings
Occasional Contributor I
Posts: 6
Registered: ‎04-22-2015

Re: AirGroup with CPPM Enforcement Issues

I did an export; the logs are pasted below:

 

Request Details Summary -
 Session Identifier: W00000007-01-5537a00e
 Date and Time: Apr 22, 2015 09:20:14 EDT
 Username: 1C-1A-C0-69-3F-66
 End-Host Identifier: -
 Access Device IP/Port: -
 Audit Posture Status:
 System Posture Status:
 Login Status: REJECT

Policies Used -
 Service:
 Authentication Method: Not applicable
 Authentication Source:
 Authorization Source:
 Roles:
 Enforcement Profiles:
 Service Monitor Mode:

Alerts -
 Error Code: 204
 Error Category: Authentication failure
 Error Message: Failed to classify request to service
 Alerts for this Request -
   WebAuthService: ServiceClassification failed {No service matched}

 


Request log details for session: W00000007-01-5537a00e
Time     Message
2015-04-22 09:20:14,643     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065091 h=223 r=W00000007-01-5537a00e] ERROR Core.ServiceReqHandler - doServiceClassification: Error. Ret code=0 response list size=0
2015-04-22 09:20:14,647     [ajp-apr-8009-exec-3] R:W00000007-01-5537a00e] ERROR com.avenda.tips.webauthservice.WebAuthHandler - Failed to perform webauth, reason=FailedToClassifyRequestToService
2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO TAT.TagAttrTableUtil - buildTagAttrTableInput: Connection:NAD-IP-Address is not found
2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr 1c1ac0693f66
2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 0 entity id = 29
2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] WARN Common.TagDefinitionCacheTable - Failed to build TagDefinitionMap. Unknown NadClient for Id=0
2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=0|entity=Device
2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
2015-04-22 09:20:14,660     [RequestHandler-1-0x7f53803e1700 r=psauto-1427742565-1065092 h=239 r=W00000007-01-5537a00e] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2015-04-22 09:20:14,661     [RequestHandler-1-0x7f53803e1700 h=8589340 c=W00000007-01-5537a00e] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_OUTPUT_ERROR Started ***
2015-04-22 09:20:14,661     [RequestHandler-1-0x7f53803e1700 h=8589340 c=W00000007-01-5537a00e] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **
2015-04-22 09:20:14,661     [RequestHandler-1-0x7f53803e1700 h=8589341 c=W00000007-01-5537a00e] ERROR Core.PETaskOutputPolicyRes - computeAndOutputResponse: Failed get service config
2015-04-22 09:20:14,661     [RequestHandler-1-0x7f53803e1700 r=W00000007-01-5537a00e h=8589340 c=W00000007-01-5537a00e] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **
2015-04-22 09:20:14,661     [RequestHandler-1-0x7f53803e1700 r=W00000007-01-5537a00e h=8589340 c=W00000007-01-5537a00e] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_OUTPUT_ERROR Completed ***
2015-04-22 09:20:14,665     [ajp-apr-8009-exec-3] R:W00000007-01-5537a00e] ERROR com.avenda.tips.webauthservice.policy.ChainedPolicyClient - Policy evaluation request failed with statusCode=StatusInvalidParam
2015-04-22 09:20:14,666     [ajp-apr-8009-exec-3] R:W00000007-01-5537a00e] ERROR com.avenda.tips.webauthservice.WebAuthHandler - Failed to perform chained policy-evaluation and enfProfiles

Occasional Contributor I
Posts: 6
Registered: ‎04-22-2015

Re: AirGroup with CPPM Enforcement Issues

The AppleTVs are connected to the wired network - is that an issue?

Guru Elite
Posts: 7,841
Registered: ‎09-08-2010

Re: AirGroup with CPPM Enforcement Issues

Yes. The controller needs visibility to the device. You can either tag your wired VLANs to the controller or if you are routing at the edge, you can create a GRE tunnel from then switch to the controller and redirect mDNS and SSDP traffic down the tunnel.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: AirGroup with CPPM Enforcement Issues

Adding to Tim's comment...

 

On an untrusted port with a AAA profile which has a default role of Authenticated.

 

 

Thanks,

Zach Jennings
Occasional Contributor I
Posts: 6
Registered: ‎04-22-2015

Re: AirGroup with CPPM Enforcement Issues

[ Edited ]

The router has all the vlans and if I go to the AirGroup item on the dashboard tab I find it listed as an AirGroup Server. If the controller did not have the device I would expect it not to be shown if I turn off cppm-enforcement; is that an accurate expectation?

 

Some devices are connected via Cisco switches -- not sure how to make those ports trusted. The devices attached to the APs ENET 1 are on 'trusted' ports.

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: AirGroup with CPPM Enforcement Issues

I think to get the functionality that you are looking for, you will need to upgrade to AOS 6.4.2.x. Back in 6.3.x.x code, I don't think we triggered an AirGroup Auth unless we saw the ATV either on the wireless or on an untrusted port. I believe (check the release notes and user guides) we added this functionality into the 6.4.2.x code stream, may have been 6.4.1.x.

 

Thanks,

Zach Jennings
Search Airheads
Showing results for 
Search instead for 
Did you mean: