Security

Reply
New Contributor
Posts: 4
Registered: ‎06-14-2016

ClearPass TACACS+ for HPE ProCurve Switch Management

Hi,

 

I've been setting up TACACS authentication with our HPE ProCurve switches, using a solution from the ASE

 

My ClearPass version is 6.6.0.81015

 

I modified the service to use AD Authentication, which is all working fine (checking an AD Group and mapping the appropriate enforcement profiles). I can authenticate to the switch using my AD Credentials fine like this

 

When i go and change the Device to an IP Address range (10.100.0.100-200) for the switches I want to authenticate using CPPM, the authentication stops matching the service and fails back to the default "[Aruba Device Access Service]" (or no service matched if i disable that default service)

 

Entering the Subnet or IP in the field works fine

 

I've posted some screenshots below for reference,

 

Thanks

Service

Device DetailsDevice Group.png

MVP
Posts: 992
Registered: ‎04-13-2009

Re: ClearPass TACACS+ for HPE ProCurve Switch Management

Can you show the failed access tracker message? What is the nad-ip-address in the failed request?

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
New Contributor
Posts: 5
Registered: ‎11-14-2014

Re: ClearPass TACACS+ for HPE ProCurve Switch Management

I am pretty sure that format wont work. The field is looking for a valid ip or subnet with the masing bits, if you want to do a range you will need to put your rang into a valid subnet format which means you have to observe the correct subnet boundries.

New Contributor
Posts: 4
Registered: ‎06-14-2016

Re: ClearPass TACACS+ for HPE ProCurve Switch Management

Hi

It's in that range that i specified, see the screenshot below:

Request Tracker Entry.png

 

Also, it states in the documentation you can use a range, and in the Add Device page it also specifies you can use a range (you can see that it says or 192.168.1.1-20 in the screenshot in my original post)

 

Thanks

New Contributor
Posts: 5
Registered: ‎11-14-2014

Re: ClearPass TACACS+ for HPE ProCurve Switch Management

Yes, it is true you can use a range, as long as it is expressed in accepted standard TCP notation. The range you specified does not fall on any subnet boundry so it is not recognized, for example

 

Subnet Mask Inverse Mask Subnet Size Host Range Broadcast
10.100.0.0 255.255.255.192 0.0.0.63 62 10.100.0.1  to  10.100.0.62 10.100.0.63
10.100.0.64 255.255.255.192 0.0.0.63 62 10.100.0.65  to  10.100.0.126 10.100.0.127
10.100.0.128 255.255.255.192 0.0.0.63 62 10.100.0.129  to  10.100.0.190 10.100.0.191
10.100.0.192 255.255.255.192 0.0.0.63 62 10.100.0.193  to  10.100.0.254 10.100.0.255

 

This is an example o how a subnet would be broken up using a /26 subnet bit size. Subnets can only be expressed in terms of the 8 bits that form the basis for each octet. your example of 100-200 does not fit on any of those boundries so CPPM will never match them in your rule since it does not know how to interpret those numbers.

New Contributor
Posts: 4
Registered: ‎06-14-2016

Re: ClearPass TACACS+ for HPE ProCurve Switch Management

Hi,

 

I know how subnetting works, I don't think your answer is correct

 

The subnet could be a /29 network, why would it matter what mask it has if you're specifying a range, it doesn't even know what mask your subnet is using?

 

Our 10.100.0.0 network is a /24 subnet, even if i enter 10.100.0.1-254 it doesnt work.

If i enter 10.100.0.1-10.100.0.254 it says its an invalid format

New Contributor
Posts: 4
Registered: ‎06-14-2016

Re: ClearPass TACACS+ for HPE ProCurve Switch Management

I ended up using a Device Group with a Regular Expression to pick out that specific range and used that group to match my service

 

The expression I used was ^10\.100\.0\.(1([0-9][0-9])|200)$

Search Airheads
Showing results for 
Search instead for 
Did you mean: