Security

Reply
Regular Contributor II
Posts: 222
Registered: ‎09-11-2013

ClearPass non dot 1x printer authentication question

Hi Forum,

 

I set up CPPM to work with Juniper EX switches to enforce vlan, I used the aes.arubanetworks.com solution and it works fine. For printers, I defined a role called 'company printers' and made a role mapping with (Authorization:[Endpoints Repository]:Category  EQUALS  Printer)   role name company printer. On my wired enforcement policy I added a rule (Tips:Role  EQUALS  company printers) action "printers vlan" to push back the printers vlan to the EX switch.

 

Here is what I'm not sure about:

In order for a device (printer) to be profiled, it would need to -at least- request a DHCP address. After that, my role mapping can read a device category and enforce a role. Is this at all true? without manually adding my printers to the endpoint database, is there any other way to allow a printer to be profiled without allowing it to the network? should I allow all devices in (to be profiled) and then enforce my policy?

 

Any input is Highly appreciated. 

 

thanks,

 

Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: ClearPass non dot 1x printer authentication question

You would add a rule to the top that says Endpoint Category NOT_EXISTS and return a DACL that only allows DHCP so that devices can be profiled. Be sure the profiler is enabled for the service.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Regular Contributor II
Posts: 222
Registered: ‎09-11-2013

Re: ClearPass non dot 1x printer authentication question

Thanks Tim,

 

I was looking at the profiler on the service and it asking me to select an action! should I chose Juniper session time out since I'm working on juniper switches? and what will that session time out do?

Regular Contributor II
Posts: 222
Registered: ‎09-11-2013

Re: ClearPass non dot 1x printer authentication question

Tim,

 

So I got the profiler working but here is the issue that I'm facing:

 

aruba APs connected to the Juniper switches aren't being allowed into the switch. The mac auth service I created looks at the mac OUI and would push a vlan back to the switch but the aren't passing the check. Any clue on how to get this working?

 

Screen Shot 2015-07-27 at 8.54.02 PM 1.png

Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: ClearPass non dot 1x printer authentication question

Can you show the authentication request from access tracker?


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Regular Contributor II
Posts: 222
Registered: ‎09-11-2013

Re: ClearPass non dot 1x printer authentication question

Before it use to give me this error:

RADIUS[Endpoints Repository] - localhost: User not found.
MAC_AUTH: No password in request. Not attempting MAC authentication
Cannot select appropriate authentication method

 

So I added EAP-MD5 as an auth method and now it looks like it is working as follow:

AP comes in get in the Endpoints DB, it reboots and comes back with OUI of Aruba Networks and CPPM will send access points vlan and Juniper terminate session, APs reboots and comes back with OS Family Aruba and Category of access point so CPPM will send an AP vlan to the switch. This is working great per below screen cap:

 

Screen Shot 2015-07-27 at 10.02.02 PM.png

 

I would like to ask you, how do I deal with security cameras and printers with static AP addresses? In the above, CPPM is a dhcp helper on the switch and it is able to profile the OS family and Category, How can I achieve this on a statically assigned IP devices?

 

Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: ClearPass non dot 1x printer authentication question

You likely need to tell the switch to send the MAC address as the password. You shouldn't have to set up EAP methods for MAC-auth. What version of code are you running on your switches?


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Regular Contributor II
Posts: 222
Registered: ‎09-11-2013

Re: ClearPass non dot 1x printer authentication question

Hi Tim,

 

The EX switches are running:

EX4300 : jinstall-ex-4300-13.2X51-D36.1-domestic-signed.tgz

 

thanks,

MVP
Posts: 4,120
Registered: ‎07-20-2011

Re: ClearPass non dot 1x printer authentication question

Make sure that the interface is configure this way:
set protocols dot1x authenticator interface <INTERFACE-NAME> mac-radius

In ClearPass add a rule under your Policy enforcement that if the device hasn't been profiled then return a dead end VLAN that you allow the device to get profiled for a short period of time and then CoA the device
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor II
Posts: 222
Registered: ‎09-11-2013

Re: ClearPass non dot 1x printer authentication question

Thanks Victor,

So far I tested with an aruba AP and it is working fine since ArubaAPs are requesting a dhcp. I will test today with a device that have a static address and see how it goes.

 

From your experience, if a device has a static IP would it still be profiled upon performing mac auth?

Search Airheads
Showing results for 
Search instead for 
Did you mean: