Security

Reply
Highlighted
Guru Elite

Re: ClearPass Solution Guide: Wired Policy Enforcement

Version 2018-01 is now available! See original post for details and link.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: ClearPass Solution Guide: Wired Policy Enforcement

Hi Tim, thanks for the update.

 

We run a number of Aruba 2620 & 2530 switches in our environment and something that bit us when we first implemented ClearPass and 802.1x + MAC Auth through these switches about 1.5 years ago was lack of support for a number of features related to network authentication. For example today, based on the guide, on an Aruba 2530 "ArubaOS" running YB.16.05.0004 there is currently:

  • No downloadable user role support
  • No support for "ip client-tracker"
  • Unless it's changed in the last year and a bit there was also no support for RFC4675 for tagging VLANs on these switches - we had a ticket open with both Aruba & HPE (back in the day) and it was raised as a feature request and the typical response of use a higher model switch as the 2920 supported this at the time. Sorry if this has been added since.
  • i'm sure there's more.

I can certainly appreciate this is an entry level switch and that's not an issue however do you know if there's any Aruba/HPE resource that tables these features that heavily relate to network authentication support specifically? Otherwise it makes reading these guides a little misleading at times unless you know what each switch can and cant do or a minimum model required, etc.

 

Regards

Jonathan

Occasional Contributor II

Re: ClearPass Solution Guide: Wired Policy Enforcement


@cappalli

Future releases to include: 

  • Cisco IOS-XE 'Denali' (16.x) with IBNS 2.0
  • Juniper EX

Enjoy

 

- Aruba Security Team




Just curious if anyone is currently doing this with the Denali code, or if the document for it is close to publication? We are currently testing this out but before I went to TAC I wanted to see if anyone here had it working. We are seeing Clearpass approve devices, but the 3850s are saying the device isn't authenticated.

 

Thanks! 

 

Guru Elite

Re: ClearPass Solution Guide: Wired Policy Enforcement

We’re hoping to publish the next release with IOS-XE in April.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: ClearPass Solution Guide: Wired Policy Enforcement

Hello there.

 

Any plan to support the Comware 5 for OnConnect ? Right now it's only comware 7 for H3C/HP Switches.

Everything is working great here with comware 7 switches like 5130, but not so much with older 5120 under Comware 5 (the snmp command to change the vlan for exemple, is not recognize by the switch)

 

Thx.

 

(And sorry for my english)

Guru Elite

Re: ClearPass Solution Guide: Wired Policy Enforcement

Please work with your Aruba account team to raise a feature request for Comware 5.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: ClearPass Solutions Guide: Wired Policy Enforcement

Hello Tim

 

Thanks for creating this document, It's helping a lot.  One thing I do not yet see is this.  I am configuring Aruba 2530 (J9773A) switches for Dot1x raduis based enforcement.  Is there a command on the switch that I can use to fail-open (allow connections) if the switch cannot communicate with the ClearPass server cluster?

 

Thanks

 

Ric

 

 

Re: ClearPass Solutions Guide: Wired Policy Enforcement

Hi,

 

What firmware do you are using ? with last 16.05, there is this option (don't remenber the name...)

ACMP 6.4 / ACMX #107 / ACCP 6.5
Frequent Contributor I

Re: ClearPass Solution Guide: Wired Policy Enforcement

 Hi Tim,

 

Before I go into sticking this into lab, I assume the authentication is performed at a port level rather then a client level? My assumption is based on connecting APs to colourless ports and allowing all bridged-wireless authenticated clients access to the transport networks. If not, then I would like to know whether this is capable of working in that scenario?

Any amount of Kudos will be greatly appreciated!!!
Guru Elite

Re: ClearPass Solution Guide: Wired Policy Enforcement

Authentication is per-MAC.

 

Colorless ports with User Roles with bridged APs (Instant) is not currently supported.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: