Security

Reply
Occasional Contributor I

Radius Attribute from CPPM is not observed on IAP, but it seems to be sent

Hello. I'd like to ask for a guidance one more time.

 

My goal is to start working with Clearpass, and i'm trying to bring simple lab. I have Win2016server, with AD working fine, CPPM 6.7, IAP305 latest, win7 as wifi client.

 

The task is - on the CPPM catch up users, who are member of Grupe1, attach them a role, by that role "enforce" them to be assigned a role on IAP with simple deny icmp any any (further - denyping).

The problem is that i don't even see CPPM passing the attribute Aruba-User-Role to IAP on the packet capture and the IAP is not catching it up also.

Here is the setup:

192.168.200.222 - CPPM, 192.168.100.20 - IAP

 clearpass01.png

 

 As you can see policy is UserIsGrupe1

 

Policy:clearpass02.png

 Nevermind the condition, pl_test (my role) is the default role - and it is working. (see below)

 

Here is the enforcement profile:clearpass04.png

... and the Attribute i'd like IAP to receive.

   

The Enforcemenet policy

clearpass07.png

 

 Again, the condition might not work (thus it probably works) - but the Default Profile should work anyway.

 

 

 

And what i see on the packet capture:clearpass05.pngAs you can see Accept-Accept, but there is no Aruba's vendor attribute. And IAP also don't see it.

 

Here is output from tracker:clearpass11.png

 

And here is the Ouput:

clearpass12.png

 

Please, note - the Attribute is present, but it is not noticed on the packet capture, neither IAP recognizes it.

 

Here is just in case config from IAP:

clearpass13.png

All users fallback into ArubaRadio1 instead of denyping.

 

I understand that there is stupid-little-something that i'm missing for a such trivial case, but i can't catch it.

I'd really appretiate any advice. Thank you!

 

 

 

 

 

 

 

 

 

 

 

 

Guru Elite

Re: Radius Attribute from CPPM is not observed on IAP, but it seems to be sent

Do you have the role defined on the IAP?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: Radius Attribute from CPPM is not observed on IAP, but it seems to be sent

1. In your enforcement profile, remove the device group requirement.

2.The "Aruba-User-Role" VSA does not require a role assignment rule on the IAP. The IAP sees that attribute and changes the user role

3.  I don't see "denyping" as a defined role on the IAP.  If the role you return with the VSA does not exist, the user just gets the default role.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor I

Re: Radius Attribute from CPPM is not observed on IAP, but it seems to be sent

I think i'm.

clearpass14.png

 

 

Please also find attached CPPM log and packet capture files (just in case..)

 

Thank you!

Occasional Contributor I

Re: Radius Attribute from CPPM is not observed on IAP, but it seems to be sent

Thank you cjoseph. But no luck - nothing has changed (after device removal)

And regarding the role assignment on IAP - i've tried both ways, just the pointing manually with access rule seemed as a required prerequisite. But it should work anyway i think. And it isn't.

 

 

 

Re: Radius Attribute from CPPM is not observed on IAP, but it seems to be sent

Try to disable Monitor Mode in your service. The screenshot shows it is enabled.

 

Monitor Mode will return just an Access Accept, regardless policy/authentication, and is intended to see what would happen without actually doing it. From your description, this matches what you see.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor I

Re: Radius Attribute from CPPM is not observed on IAP, but it seems to be sent

That is exactly what is was.

Thank you very much! I can continue now :)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: