Security

last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Network devices

This thread has been viewed 3 times

  • 1.  Network devices

    Posted Mar 13, 2013 08:19 AM

    Hi,

     

    I need some explanations about the network devices in CPPM.

     

    What do I really need to add there for radius working ?

     

    I have added the IP of the VC (IAP 105) and the public IP of my network (for tests in lab). It works fine, no problem.

    And if I remove the VC device, it still works.

     

    So I don’t really understand how CPPM manages the devices.

     

    Thanks

     

    Dimitri



  • 2.  RE: Network devices

    Posted Mar 13, 2013 11:57 AM

    What do you mean that you added your public network to the network devices?

     

    "A Policy Manager Device represents a Network Access Device (NAD) that sends network access requests to Policy Manager using the supported RADIUS, TACACS+, or SNMP protocol."

    This is where you add the IP address of your device (in your case the IP address of the VC if you enabled the dynamic radius proxy feature), the shared secret and other parameters. If you do not add your devices that send the access requests then the request will fail.



  • 3.  RE: Network devices

    Posted Mar 13, 2013 12:08 PM

    To be a bit more clear :

     

    ClearPass Policy Manager server is inside my network and I use Guest Self-Registration. The IAP is outside my network and with an IP configured for the VC.

     

    If I add the VC's IP in Network Devices, the login process fails. But if I add the public IP of the network where my IAP is, it works fine. So I don't understand this.

     

    Dynamic radius proxy feature : can you explain me why to use it ?

     

    Thanks

     

    Dimitri



  • 4.  RE: Network devices

    Posted Mar 13, 2013 12:26 PM

    Well, probably there is NAT used at the perimeter of the network where the IAP resides, right? If so then it's normal to use the public IP of the IAP since the internal address of the IAP will be never seen at the ClearPass.

     

    If you will attach a sketch from the network topology with the IP's then it may help.

     

    Dynamic RADIUS proxy: "When enabled, the Virtual Controller network uses the IP Address of the Virtual Controller for communication with external RADIUS servers. You must set the Virtual Controller IP address as a NAS client in the RADIUS server if Dynamic RADIUS Proxy is enabled."

     



  • 5.  RE: Network devices

    Posted Mar 13, 2013 12:32 PM

    Well, probably there is NAT used at the perimeter of the network where the IAP resides, right? If so then it's normal to use the public IP of the IAP since the internal address of the IAP will be never seen at the ClearPass.

     

    Yes I think, it's the point. So I must add the public address of my IAP and not his internal IP address.

     

    I will attach a sketch of my network typology tomorrow.

     

    Thanks

     

    Dimitri