Security

Reply
Occasional Contributor II

CLI Enforcement on ClearPass 6.3.0

Just curious if anyone out there is successfully using CLI Enforcement with ClearPass 6.3.0.  The first time I wanted to use the feature was after upgrading CP to 6.3.0, so I'm unfamiliar with what may be a bug or my own config errors.

 

I'm attempting to a command to my 7220 to blacklist MAC addresses that meet a very specific criteria (per our AUP).  In ClearPass, I see the enforcement profile trigger & the CLI command is generated correctly (visible in output tab), but the station is never blacklisted.  My 7220's logs also never show a login attempt from CP.

 

Before I go any further, CLI access is definitely enabled in the CP device config for the 7220, and the user/pass config is accurate. :)

 

device-7220.png

 

 

Looking in the request log details, the only thing out of the ordinary that  I can see is the following line:

2014-01-24 08:53:16,228[RequestHandler-1-0x7f726c5e2700 h=1357323 c=R0000cc05-02-52e27e5c] WARN Util.DatatypeUtils - Converting string 192.168.127.250 to integer failed. Trailing characters

 

That seems odd to me.  I've tried configuring the enforcement profile to use the IP from %{Radius:IETF:NAS-IP-Address}, %{Connection:NAD-IP-Address}, and I've set it statically, but each time this warning string appears.

 

Anyway, just seeing if anyone else has had luck where I have not.  Request log attached in case anyone can see something I've missed! :)

Occasional Contributor II

Re: CLI Enforcement on ClearPass 6.3.0

Quick note... request log is in html format.  Had to change the extension to attach.

Guru Elite

Re: CLI Enforcement on ClearPass 6.3.0

Cli Enforcement in CPPM only works with Meru Controllers, unfortunately.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: CLI Enforcement on ClearPass 6.3.0

Ah, thanks.  I looked through tech notes & user guides, but didn't see any compatibility statements. Did I miss it somewhere?

 

I'm kinda surprised Aruba doesn't support this on their own controller.

 

Guru Elite

Re: CLI Enforcement on ClearPass 6.3.0

This cli enforcement  was added specifically  to support external captive portal on Meru.  It might not have been expanded  beyond that....let me check.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
MVP

Re: CLI Enforcement on ClearPass 6.3.0

wow, I so wish somebody had made this topic 3 months earlier :smileyembarrassed:

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.

Re: CLI Enforcement on ClearPass 6.3.0

This has been tested with Cisco and Meru. As of today it does not work with Aruba gear
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: