Security

Reply
Frequent Contributor II
Posts: 479
Registered: ‎03-15-2014

HP 2910 and Clearpass Inquiry?

I have read the tech note abput HP Switches Integration with clearpass I have inquiry about can i do both dot1x and MAC authentication on the same port a cisco also I want7 to verify if the below conigs will maek 802.1xx and MAC authebtciation work well or no :

 

conf t
CPPM-2920(config)# radius-server host 10.2.100.161 key my_shared_secret
CPPM-2920(config)# radius-server host 10.2.100.161 dyn-authorization
CPPM-2920(config)# radius-server host 10.2.100.161 time-window 0
CPPM-2920(config)#aaa accounting network start-stop radius server-group radius
CPPM-2920(config)# aaa accounting update periodic 2
CPPM-2920#(config)# dhcp-snooping
CPPM-2920#(config)# dhcp-snooping vlan 1 2 3 4...
CPPM-2920#(config)# dhcp-snooping trust <port-list>
CPPM-2920(config)# aaa authentication port-access eap-radius
CPPM-2920(config)# aaa port-access authenticator active
CPPM-2920(config)# aaa port-access authenticator 6-12 client-limit 1
CPPM-2920(config)# aaa port-access authenticator <port ID list> unauth-period <seconds>
CPPM-2920(config)# aaa port-access mac-based 6-12
CPPM-2920(config)# aaa port-access mac-based 6-12 quiet-period 30
CPPM-2920(config)# aaa port-access mac-based 6-12 auth-vid 710


Guru Elite
Posts: 21,259
Registered: ‎03-29-2007

Re: HP 2910 and Clearpass Inquiry?

1.  Download the latest firmware here:  https://h10145.www1.hp.com/downloads/SoftwareReleases.aspx?ProductNumber=J9729A

 

2.  Setup your radius server:

radius-server host 192.168.1.17 key "aruba123"
radius-server host 192.168.1.17 dyn-authorization

3.  Setup mac based and 802.1x-based authentication on ports 9 to 12:

aaa authentication port-access eap-radius server-group "cppm"
aaa authentication mac-based chap-radius server-group "cppm"
aaa port-access authenticator 9-12
aaa port-access authenticator 9 client-limit 1
aaa port-access authenticator 10 client-limit 1
aaa port-access authenticator 11 client-limit 1
aaa port-access authenticator 12 client-limit 1
aaa port-access authenticator active
aaa port-access mac-based 9-12
aaa port-access mac-based 9 client-limit 10
aaa port-access mac-based 10 client-limit 10
aaa port-access mac-based 11 client-limit 10
aaa port-access mac-based 12 client-limit 10

That should be it.

 

Big shout out to the NE Engineer who's tutorial I used for this configuration verbatim.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 479
Registered: ‎03-15-2014

Re: HP 2910 and Clearpass Inquiry?

Thank you so much you really helped a lot will test and feed you back

Frequent Contributor II
Posts: 479
Registered: ‎03-15-2014

Re: HP 2910 and Clearpass Inquiry?

Hello Joseph

 

I have tested the Configurations and it worked but there is a big issue showedd up:

 

now I want user to authenticate when he enter his windwos log in credential he will have access now the thing is if domain user is not cached the user enter his credentail and he will not be able to log into domain and Message said domain service is not availble and user can not log into domain so how to solve such a thing.

Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: HP 2910 and Clearpass Inquiry?

You need to configure the client for machine authentication and add a machine authentication rule to your enforcement policy.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 479
Registered: ‎03-15-2014

Re: HP 2910 and Clearpass Inquiry?

So thats good point I thinked in but what enfocement should be done for this machine rule?

Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: HP 2910 and Clearpass Inquiry?

TIPS role equals [Machine Authenticated]

[Allow Access Profile]


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 479
Registered: ‎03-15-2014

Re: HP 2910 and Clearpass Inquiry?

But this role will allow any machine authentication directly for example I have printers should be in Printers VLAN and IP phones in Voice VLAN which I have created enforcment profiles for it and enforcment policy for so If I added this enforcment condition will allow access,so Please correct me if I'm wrong and really thank you for your fast response

Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: HP 2910 and Clearpass Inquiry?

So you would just add whichever enforcement profile you want for that condition.

I'm not sure what you're asking.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 479
Registered: ‎03-15-2014

Re: HP 2910 and Clearpass Inquiry?

the thing is domain user for example windwos 8 can not login to domain on configured 802.1x port (and on this windwos we enable 802,.1x and configured it that widnwos log in uses as the 802.1x ) in 802.1x setting in windows,

Search Airheads
Showing results for 
Search instead for 
Did you mean: