Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎05-25-2011

ClearPass 6.3 and Cisco

I'm trying to setup ClearPass with my Cisco switches to do dot1x wired authentication.  I have a policy setup to push out a Quaratine VLAN and a dACL/URL Redirect.  The port on the Cisco switch will come up start going through authentication but I'll get "Authorization failed or unapplied for client".  If i do a show authentication session on the interface I'm trying with it shows "Status:  Authz Failed".  If I take out the url redirect the port comes up fine, but I'm using the url redirect for remediation so it's needed.  I've opened a TAC case with both Aruba and Cisco and both are scratching their heads.  I've followed every guide I could find from Aruba and Cisco on setting this up.  If anyone has suggestions or has run into this please let me know.  Thanks

 

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: ClearPass 6.3 and Cisco

do you have the ip http server and ip http secure-server entries on the switch?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 6
Registered: ‎05-25-2011

Re: ClearPass 6.3 and Cisco

Yes I have those commands on the switch.

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: ClearPass 6.3 and Cisco

What version of Cisco IOS are you running?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 6
Registered: ‎05-25-2011

Re: ClearPass 6.3 and Cisco

I've tried a few different versions and hardware platforms.  Currently I'm working on a 3560G with 15.0(2)SE5.  I started with 12.2(58)SE2

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: ClearPass 6.3 and Cisco

The only other thing aside from IOS version (versions seem to be very finiky) would be to check to see if you have a default port ACL on the port?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 6
Registered: ‎05-25-2011

Re: ClearPass 6.3 and Cisco

I have an ACL called "temp" created and applied.  The acl is  permit ip any any.

MVP
Posts: 485
Registered: ‎04-03-2007

Re: ClearPass 6.3 and Cisco

At which part of 802.1X are you getting this? Is it a dot1x failure or a MAB failure?
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Occasional Contributor I
Posts: 6
Registered: ‎05-25-2011

Re: ClearPass 6.3 and Cisco

So what happens is a port comes online dot1x checks for a computer cert, it passes, then we are using onguard as well so it does a posture check which comes back unhealthy since the user has not logged in yet.  ClearPass assigns a Quaratine VLAN and pushes out the dACL and url redirect.  MAB does not come into play. 

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: ClearPass 6.3 and Cisco

It sounds as though ClearPass is sending the proper response but the switch is not interpreting it properly for whatever reason.    Can you share the output of the following:

 

- debug radius on the switch for that authenication connection.

- the specific port configuration

- show authentication sessions for that port/attempt

 

I've seen similiar behavior in the past, but in those cases it was IOS version compatiblities or missing http server or default ACL commands.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: