Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

PPTN confiogured now what?

This thread has been viewed 3 times

  • 1.  PPTN confiogured now what?

    Posted Mar 02, 2018 06:51 AM

    O.k. I've just configured a 2930F pair of switches as a stack ... and then PPTN on a sete of ports talking to a mobility controler running 6.5.4.4

     

    xb-as-2930-1# show tunneled-node-server

    Tunneled Node Server Information

    State : Enabled
    Primary Controller : 144.32.64.46
    Backup Controller :
    Keepalive Interval (seconds) : 8
    Mode : Port-based

     

    b-as-2930-1# show tunneled-node-server statistics

    Tunneled Node Statistics

    Port : 1/1
    Port : 1/2
    Port : 1/3
    Port : 1/4
    Port : 1/5
    Port : 1/6
    Port : 1/7
    Port : 1/8
    Port : 1/9
    Port : 1/10
    Port : 2/1

    Control Plane Statistics

    Bootstrap packets sent : 21
    Bootstrap packets received : 21
    Bootstrap packets invalid : 0

    Tunnel Statistics

    Rx Packets : 3
    Tx Packets : 3
    Rx 5 Minute Weighted Average Rate (Pkts/sec) : 0
    Tx 5 Minute Weighted Average Rate (Pkts/sec) : 0

    Port : 2/2
    Port : 2/3
    Port : 2/4
    Port : 2/5
    Port : 2/6
    Port : 2/7
    Port : 2/8
    Port : 2/9
    Port : 2/10

    Aggregate Statistics

    Heartbeat packets sent : 156
    Heartbeat packets received : 156
    Heartbeat packets invalid : 0
    Fragmented Packets Dropped (Rx) : 0
    Packets to Non-Existent Tunnel : 0
    MTU Violation Drop : 0

    xb-as-2930-1#

     

    looking at the switch port with a device connected to it

    xb-as-2930-1(eth-2/1)# sh mac-address 2/1

    Status and Counters - Port Address Table - 2/1

    MAC Address VLANs
    ----------------- ------------
    4409b8-1ee4bb 4094

    Where 4409.... is a Chromecast 4K device wired interface.

     

    on the mobility controller

    (arubadev2) #show tunneled-node state

    Tunneled Node State
    -------------------
    IP MAC port state vlan tunnel inactive-time
    -- --- ---- ----- ---- ------ -------------
    10.192.3.2 ec:eb:b8:2e:8d:cb 2/1 complete 4094 102 1

     

     

    So now what ? Should I have expected to see the chromecast mac address on the mobiliy controller?  ... something appears in clearpass ?

     

    Didn;t configure the example roles as I've got ones defined on the controller.

     

    A

     



  • 2.  RE: PPTN confiogured now what?

    Posted Mar 02, 2018 07:18 AM

    o.k. helps if you configure the wired AAA  authentication component. Can n ow see the device mac address appearing in clearpass. Its sending an access-request back with the wrong stuff in it, but at lest its breathing!

     



  • 3.  RE: PPTN confiogured now what?

    Posted Mar 02, 2018 07:45 AM
    Spoiler
    Next question, if the device is on  a switch connected to a vlan defined as part of a per port tunneled node which also exists on the mobility controller but doesn't have an L3 interface, am i correct in thinking that the clearpass access-accept packet just needs to send back a local vlan value that is L3 routed on the mobility controller and the device at the other end will get an Ip address assigned from that VLAN ?
    Ah! from the  document

    With tunneled-node, the client device’s VLAN is assigned and enforced by the controller. In a tunneled-node only deployment, no client device access networks need to be configured at the edge switch layer.

    So all I do need to do is assign device to correct vlan on controller

    Intention here is to have a wired airgroup device connected to the switch visible by wifi airgroup devices connected via the same contoller


  • 4.  RE: PPTN confiogured now what?

    Posted Mar 02, 2018 08:30 AM

    o.k. so with a bit of clearpass "tweaking" I now have a chromecast video device connected to a wired port on a 2930F that is sitting in the same vlan group as another wifi based  chromcast device ... can't see it yet on my iphone ... but major step in right direction