Security

Reply
Regular Contributor I

Clearpass wired policy enforcement

Hi community,

 

I want to set up wired policy enforcement switch user-roles.

We have an Aruba 2930f Switch with WC.16.05.0007 on it.

 

we used the ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01.pdf to configure the switch and the cppm server.

cppm version is 6.7.

 

the user role download works fine on the switch.

The access tracker shows radius accept but account doesn´t work fine.

The Client cannot connet to the networks.

 

The access tracker shows these output:

1.png2.png3.png

The Switch shows these:

4.pngHas anyone an idea to fix this problem?

 

Thanks

Guru Elite

Re: Clearpass wired policy enforcement

Based on your screenshots, DUR is not in use. Does the role exist on the switch? Did you check show port-access clients?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Clearpass wired policy enforcement

yes, these role exists on the switch, the other roles are downloadable roles...

1.PNG

Guru Elite

Re: Clearpass wired policy enforcement

You’d need to debug datapath on the switch side. If the client is being assigned the role, then everything is working correctly with ClearPass.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Clearpass wired policy enforcement

the switch shows this:

 

1.PNG

can you send me the commands to show you the debug output?

 

Regular Contributor I

Re: Clearpass wired policy enforcement

Hi Tim,

 

I have seen that the instructions I have configured the things according to are from you.
I started with the configuration on page 15, can it be that I left something important out in advance?

 

@all
Could someone help with debugging the problem?
How do I enable debuging?
What do I have to watch out for?

Thank you very much.

Re: Clearpass wired policy enforcement

If you need someone to troubleshoot with you, it is probably best to reach out to your Aruba partner or to Aruba support.

 

In the case you have an error in the return attributes or in the role content, what I have seen few times is that in the show port-access clients <port> detail, it says: rejected, no vlan. On how to troubleshoot that, I created a video: https://www.youtube.com/watch?v=IayTBrXVznE

 

Key commands there on the switch are:

debug destination session
debug event

If that doesn't give enough, you can, in addition, debug the following:

debug security port-access
debug security radius-server

It is hard to tell what to look for as there is barely information in your reports. In my experience, watching these logs live as they come in, together with someone who has seen more of these logs is the most effective way to solve the issue. Reach out to your Aruba partner or Aruba TAC for such a live troubleshooting session if you can't make sense out of the debug logs.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: