Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

PUTN unstable

This thread has been viewed 3 times

  • 1.  PUTN unstable

    Posted Mar 14, 2018 06:31 AM

    Hi,

     

    I'm testing PUTN (per-user tunneled node) feature and it is very unstable. Sometimes it works, but most of the times it failed. I configured the switch to use DUR to download roles from ClearPass, which contains the secondary role to tunnel user traffic to the controller. 

     

    On ClearPass, I can see the client was successfully authenticated, but somehow the switch failed to setup the tunnel.

     

    1.png

     

    On the switch, I always see the following log (vlan disabled) when it failed:

     

    3.PNG

     

    2.PNG

     

    Please give me some advice on this.

     

    Regards,



  • 2.  RE: PUTN unstable

    Posted Mar 14, 2018 10:37 PM

    Anyone has experience with this? Not sure why it behaves in such manner even when I run the exact same OS (16.04.0008) as in the Wired Policy Enforcement Guide. 



  • 3.  RE: PUTN unstable

    EMPLOYEE
    Posted Mar 14, 2018 11:00 PM
    Best to work with Aruba TAC.


  • 4.  RE: PUTN unstable

    Posted Mar 14, 2018 11:27 PM

    Hi Tim,

     

    They are PoC devices. Can I open a case with these products?

     

    Regards,



  • 5.  RE: PUTN unstable

    Posted Mar 15, 2018 05:45 AM

    Hi,

     

    After lots of testing it looks to me there's something wrong with the user-table on the controller. Let me describe in more detail. I want to onboard wired devices and here are the step-by-step:

     

    1) Users plugs in their cable, then gets authenticated by 802.1X (PEAP-GTC specifically, since I do not join ClearPass to AD).

     

    2) Upon successful authentication, ClearPass returns DUR to the switch, which tunnels user traffic to the controller on the secondary role "onboard-provisioning", which contains a captive portal to redirect users to onboard portal.

     

    3) User downloads and runs Aruba QuickConnect, then gets authenticated by EAP-TLS. Upon successful authentication, ClearPass returns DUR to the switch, which tunnels user traffic to the controller on the secondary role "allow-any", which basically allows everything (for testing purposes).

     

    The step that I'm always stuck at is step 3. I can see from ClearPass that I was successfully authenticated, and the switch also has no problem with downloading roles from ClearPass. But it does have problem when trying to apply this role. The log message was always "virtual LAN disabled" (2010 was the vlan that I tried to apply to user after being authenticated with EAP-TLS):

    1.png

     

    Checking on the controller, I saw the following (2009 was the vlan that I applied to user after being first authenticated by PEAP-GTC and redirected to onboard portal):

    2.PNG

     

    So, the controller still had the old sessions of user with old vlan. My guess is that when the switch tried to tunnel user traffic to the controller on vlan 2010, the controller rejected because it still had vlan 2009 applied to this user. That's why the switch showed vlan 2010 was disabled in its log messages and failed to apply this vlan to user. I did two other tests and the result seems to favor my guess:

      + I can onboard and authenticate successfully with EAP-TLS when I use the same vlan for onboard and post-onboard.

      + I can authenticate with EAP-TLS successfully as soon as the old sessions on the controller disappears (I don't know how to clear them, so my only option was to reboot the controller).

     

    Of course that is just my guess. Maybe I've missed something. I really appreciate if anyone can share their experience on this.

     

    Regards,