Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

HP 2910 and Clearpass Inquiry?

This thread has been viewed 4 times

  • 1.  HP 2910 and Clearpass Inquiry?

    Posted Sep 07, 2015 04:45 PM

    I have read the tech note abput HP Switches Integration with clearpass I have inquiry about can i do both dot1x and MAC authentication on the same port a cisco also I want7 to verify if the below conigs will maek 802.1xx and MAC authebtciation work well or no :

     

    conf t
    CPPM-2920(config)# radius-server host 10.2.100.161 key my_shared_secret
    CPPM-2920(config)# radius-server host 10.2.100.161 dyn-authorization
    CPPM-2920(config)# radius-server host 10.2.100.161 time-window 0
    CPPM-2920(config)#aaa accounting network start-stop radius server-group radius
    CPPM-2920(config)# aaa accounting update periodic 2
    CPPM-2920#(config)# dhcp-snooping
    CPPM-2920#(config)# dhcp-snooping vlan 1 2 3 4...
    CPPM-2920#(config)# dhcp-snooping trust <port-list>
    CPPM-2920(config)# aaa authentication port-access eap-radius
    CPPM-2920(config)# aaa port-access authenticator active
    CPPM-2920(config)# aaa port-access authenticator 6-12 client-limit 1
    CPPM-2920(config)# aaa port-access authenticator <port ID list> unauth-period <seconds>
    CPPM-2920(config)# aaa port-access mac-based 6-12
    CPPM-2920(config)# aaa port-access mac-based 6-12 quiet-period 30
    CPPM-2920(config)# aaa port-access mac-based 6-12 auth-vid 710




  • 2.  RE: HP 2910 and Clearpass Inquiry?
    Best Answer

    EMPLOYEE
    Posted Sep 08, 2015 07:03 AM

    1.  Download the latest firmware here:  https://h10145.www1.hp.com/downloads/SoftwareReleases.aspx?ProductNumber=J9729A

     

    2.  Setup your radius server:

    radius-server host 192.168.1.17 key "aruba123"
radius-server host 192.168.1.17 dyn-authorization

    3.  Setup mac based and 802.1x-based authentication on ports 9 to 12:

    aaa authentication port-access eap-radius server-group "cppm"
aaa authentication mac-based chap-radius server-group "cppm"
aaa port-access authenticator 9-12
aaa port-access authenticator 9 client-limit 1
aaa port-access authenticator 10 client-limit 1
aaa port-access authenticator 11 client-limit 1
aaa port-access authenticator 12 client-limit 1
aaa port-access authenticator active
aaa port-access mac-based 9-12
aaa port-access mac-based 9 client-limit 10
aaa port-access mac-based 10 client-limit 10
aaa port-access mac-based 11 client-limit 10
aaa port-access mac-based 12 client-limit 10

    That should be it.

     

    Big shout out to the NE Engineer who's tutorial I used for this configuration verbatim.

     



  • 3.  RE: HP 2910 and Clearpass Inquiry?

    Posted Sep 09, 2015 06:50 PM

    Thank you so much you really helped a lot will test and feed you back



  • 4.  RE: HP 2910 and Clearpass Inquiry?

    Posted Sep 11, 2015 06:59 AM

    Hello Joseph

     

    I have tested the Configurations and it worked but there is a big issue showedd up:

     

    now I want user to authenticate when he enter his windwos log in credential he will have access now the thing is if domain user is not cached the user enter his credentail and he will not be able to log into domain and Message said domain service is not availble and user can not log into domain so how to solve such a thing.



  • 5.  RE: HP 2910 and Clearpass Inquiry?

    EMPLOYEE
    Posted Sep 11, 2015 07:53 AM
    You need to configure the client for machine authentication and add a machine authentication rule to your enforcement policy.


    Thanks,
    Tim


  • 6.  RE: HP 2910 and Clearpass Inquiry?

    Posted Sep 11, 2015 08:07 AM

    So thats good point I thinked in but what enfocement should be done for this machine rule?



  • 7.  RE: HP 2910 and Clearpass Inquiry?

    EMPLOYEE
    Posted Sep 11, 2015 08:17 AM
    TIPS role equals [Machine Authenticated]

    [Allow Access Profile]


    Thanks,
    Tim


  • 8.  RE: HP 2910 and Clearpass Inquiry?

    Posted Sep 11, 2015 08:23 AM

    But this role will allow any machine authentication directly for example I have printers should be in Printers VLAN and IP phones in Voice VLAN which I have created enforcment profiles for it and enforcment policy for so If I added this enforcment condition will allow access,so Please correct me if I'm wrong and really thank you for your fast response



  • 9.  RE: HP 2910 and Clearpass Inquiry?

    EMPLOYEE
    Posted Sep 11, 2015 08:24 AM
    So you would just add whichever enforcement profile you want for that condition.

    I'm not sure what you're asking.


    Thanks,
    Tim


  • 10.  RE: HP 2910 and Clearpass Inquiry?

    Posted Sep 11, 2015 08:39 AM

    the thing is domain user for example windwos 8 can not login to domain on configured 802.1x port (and on this windwos we enable 802,.1x and configured it that widnwos log in uses as the 802.1x ) in 802.1x setting in windows,



  • 11.  RE: HP 2910 and Clearpass Inquiry?

    EMPLOYEE
    Posted Sep 11, 2015 08:43 AM
    That's why you need to enable machine authentication on the client.


    Thanks,
    Tim


  • 12.  RE: HP 2910 and Clearpass Inquiry?

    Posted Sep 12, 2015 11:20 AM

    The thing is now if I enabled Machine Authentciation on Client and allow access to the network so any one can then log to my network so what is the purpose of 802.1x then and the NAC as a whole?



  • 13.  RE: HP 2910 and Clearpass Inquiry?
    Best Answer

    EMPLOYEE
    Posted Sep 12, 2015 11:23 AM
    The device will only machine authenticate at the login screen then it will switch to user which requires valid user credentials...


    Thanks,
    Tim