Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass + HP Switch Integration - Not receiving IP address

This thread has been viewed 5 times

  • 1.  Clearpass + HP Switch Integration - Not receiving IP address

    MVP
    Posted Feb 15, 2016 04:31 PM

    Hi AirHeads Community,

     

    I'm working with a customer who wants to have 802.1X wired authentication on his HP switches. I configured a test switch and port for 802.1X eap-peap authentication and have connected a laptop. In ClearPass I see the request being Accepted and using the default [Allow Access Profile] as the enforcement. Customer has 'untagged vlan 1' on the switch ports and they only use VLAN 1 on this network. After successful authentication, client is not receiving an IP address however. I'm not sure if I need to change the enforcement profile or if it's something on the switch that needs to be updated.

     

    wired configuration is as follows:

     

    interface I22

     untagged vlan 1

     aaa port-access authenticator

     aaa port-access authenticator quiet-period 5

     aaa port-access authenticator reauth-period 30

     aaa port-access authenticator auth-vid 1

     aaa port-access authenticator unauth-period 10

     aaa port-access authenticator logoff-period 862400

     aaa port-access authenticator client-limit 1

    aaa port-access controlled-direction in

     

     

    any ideas? Thanks!



  • 2.  RE: Clearpass + HP Switch Integration - Not receiving IP address

    Posted Feb 15, 2016 04:35 PM
    Do you have a DHCP relay configured for that VLAN pointing to DHCP server either on the switch uplink or the actual switch ?

    Sent from Outlook Mobile


  • 3.  RE: Clearpass + HP Switch Integration - Not receiving IP address

    EMPLOYEE
    Posted Feb 15, 2016 04:39 PM
    If you remove the port ACL, does it work?


  • 4.  RE: Clearpass + HP Switch Integration - Not receiving IP address

    MVP
    Posted Feb 15, 2016 04:42 PM

    According to the customer, the switch ports with no authentication are receiving DHCP. However, the VLAN 1 on the switch is configured as 172.18.151.241/24. the VLAN that the users are receiving is also VLAN 1, but they are getting addresses in the 172.18.200.0/24 subnet apparently. I don't know how this is possible. I might have to have them move the connection to verify.



  • 5.  RE: Clearpass + HP Switch Integration - Not receiving IP address

    MVP
    Posted Feb 15, 2016 04:47 PM

    Just verified, even with the existing network configuration, by removing the authentication from the port, DHCP works correctly.



  • 6.  RE: Clearpass + HP Switch Integration - Not receiving IP address
    Best Answer

    MVP
    Posted Feb 15, 2016 05:42 PM

    Although I still don't understand exactly how they manage to receive IPs, apparently their DHCP server had no IP addresses left because they use 8 day lease times. We managed to free up some IPs and everything worked.

     

    Thanks for the help