Security

Gurus,

 

i'm trying to do authentication with clearpass using Aruba 3810 switch. i've succesfully tested 802,1x with the cisco voip phone and laptop with 802.1x enable succesfully authenticated and get the correct VLAN..

 

but if the laptop is not configured with 802.1x enabled, it failed to redirect to the captive portal to authenticate, the laptop didnt get IP address but inside clearpass im able to see that the client is pushed with the correct profile for the captive portal login

 

is this can be done? the cisco phone will be mac auth, the client conneected to the phone will do mac auth also..

 

Voice VLAN: 854

data VLAN: 351

switch: Aruba 3810 (16.04.0009)

 

 

config:

aaa server-group radius "CPPM" host 10.50.6.76
aaa accounting update periodic 1
aaa accounting network start-stop radius server-group "CPPM"
aaa authentication port-access eap-radius authorized
aaa authentication web-based chap-radius server-group "CPPM"
aaa authentication mac-based chap-radius server-group "CPPM"
aaa authentication captive-portal enable

 

interface x

untagged vlan 351

tagged vlan 854

aaa port-access authenticator

aaa port-access authenticator x auth-vid 351

aaa port-access authenticator active

aaa port-access authenticator x client-limit 3

aaa port-access mac-based 

aaa port-access mac-based 13 auth-vid 351

 

 

 

Did you follow the ClearPass Solution Guide for Wired Policy Enforcement?

Hi Tim,

 

should be as everything is working as it should be except where the part i need to connect client to the Cisco Voip phone port..

If the Cisco phone is expected a tagged VLAN, add a tagged VLAN to your phone role.

yes...the cisco phone is getting tagged VLAN as the ip address. 802.1x is working with the phone but mac auth doesnt work for url redirection

Yes, I just tried this in my lab and it works, 7940 phone with a laptop behind it where I do get redirected on the laptop. One thing that might be causing what you see is that by default only a single MAC address is allowed for mac authentication.

 

Do you have the addr-limit set in your config?

 

aaa port-access mac-based 1-4 addr-limit 3

 

Herman,

 

yes that will do the trick. The limitation if the laptop connected to the phone is COA wont work as i want to change client VLAN from 351 to 359. I have to do manual plug in and plug out in order to change the VLAN.

 

is this normal?  due to to COA is only supported on the aruba switch and not the Cisco Phone?

What type of CoA are you sending out, and for what use-case? I only tested without CoA where I returned the client VLAN in a standard VLAN enforcement. So the client is not really switching VLANs.

I just tested, and sending an [HPE Terminate Session] to one of the devices (Phone or Laptop) triggers a re-authentication for that specific device only.

So you are not sending the CoA for the laptop to the Phone, but to the switch because that is where the authentication is happening.

 

If you still are stuck, it may help to contact your Aruba ClearPass partner or Aruba TAC to do some interactive session to address your use-case.

Manual coa is working and manage to termination but only working using the same vlan. If plan to change vlan it won't work

Still, I'm not sure what you try to achieve and how. I would try to avoid switching VLANs whenever possible, and rather use roles or dACLs to limit traffic for unknown devices. The structure that I typically use is put devices in a profiling VLAN or role, then when you learn new information on the device trigger a CoA that re-authenticates the client and then in the new authentication returns the proper access.

 

This video describes how I tend to do such a workflow:

https://www.youtube.com/watch?v=DA8Bm7m2drM

 

In the video, I do the VLAN change and in that case the port-bounce is used to let the attached device do a new dhcp request for an IP in the new, changed VLAN. It looks like a port-bounce is not transferred through the phone, so again a reason to prevent VLAN changes.

 

It is really hard to remotely troubleshoot your situation, if you have access to Aruba TAC, I would contact them.

Herman,

 

i've already working with TAC. case #: 5325370422 

 

I think it would be easier if I just remove any VLAN pushing in the enforcement profile and just follow any VLAN in the port being connected to.

 

by doing this way, I could prevent any VLAN changing and stick to the same VLAN based on the port configuration.

 

quick question, my end user suddenly asked for social login with wired port. that means, we can authenticate the user using social login when web redirection happens

 

is this possible?

Yes, social login would work on wired as well, however, depending on the cloud authentication provider, you will need to allow (whitelist) access to the login service of that provider (see https://github.com/aruba/clearpass-cloud-service-whitelists for what you need to whitelist). As of today, the switches only allow you to put IP addresses in there (as far as I know), which makes it challenging to allow the right traffic while blocking (most) everything else.

 

If you have an Aruba controller or NextGen firewall that works with ClearPass Exchange, you might be able to find a way to filter the traffic there.

 

Maybe someone on this forum has experience with Social Logon on wired?

Herman,

 

yeah this one can only be done with integration of the aruba controller by using Per User Tunnel Node method as the switch wont be able to do whitelist base on domain name.