Security

Hi,

I've been setting up TACACS authentication with our HPE ProCurve switches, using a solution from the ASE

My ClearPass version is 6.6.0.81015

I modified the service to use AD Authentication, which is all working fine (checking an AD Group and mapping the appropriate enforcement profiles). I can authenticate to the switch using my AD Credentials fine like this

When i go and change the Device to an IP Address range (10.100.0.100-200) for the switches I want to authenticate using CPPM, the authentication stops matching the service and fails back to the default "[Aruba Device Access Service]" (or no service matched if i disable that default service)

Entering the Subnet or IP in the field works fine

I've posted some screenshots below for reference,

Thanks

Can you show the failed access tracker message? What is the nad-ip-address in the failed request?

I am pretty sure that format wont work. The field is looking for a valid ip or subnet with the masing bits, if you want to do a range you will need to put your rang into a valid subnet format which means you have to observe the correct subnet boundries.

Hi

It's in that range that i specified, see the screenshot below:

Also, it states in the documentation you can use a range, and in the Add Device page it also specifies you can use a range (you can see that it says or 192.168.1.1-20 in the screenshot in my original post)

Thanks

Yes, it is true you can use a range, as long as it is expressed in accepted standard TCP notation. The range you specified does not fall on any subnet boundry so it is not recognized, for example

Subnet Mask Inverse Mask Subnet Size Host Range Broadcast
10.100.0.0 255.255.255.192 0.0.0.63 62 10.100.0.1  to  10.100.0.62 10.100.0.63
10.100.0.64 255.255.255.192 0.0.0.63 62 10.100.0.65  to  10.100.0.126 10.100.0.127
10.100.0.128 255.255.255.192 0.0.0.63 62 10.100.0.129  to  10.100.0.190 10.100.0.191
10.100.0.192 255.255.255.192 0.0.0.63 62 10.100.0.193  to  10.100.0.254 10.100.0.255

This is an example o how a subnet would be broken up using a /26 subnet bit size. Subnets can only be expressed in terms of the 8 bits that form the basis for each octet. your example of 100-200 does not fit on any of those boundries so CPPM will never match them in your rule since it does not know how to interpret those numbers.

Hi,

I know how subnetting works, I don't think your answer is correct

The subnet could be a /29 network, why would it matter what mask it has if you're specifying a range, it doesn't even know what mask your subnet is using?

Our 10.100.0.0 network is a /24 subnet, even if i enter 10.100.0.1-254 it doesnt work.

If i enter 10.100.0.1-10.100.0.254 it says its an invalid format

I ended up using a Device Group with a Regular Expression to pick out that specific range and used that group to match my service

The expression I used was ^10\.100\.0\.(1([0-9][0-9])|200)$