Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Something broke with AOS upgrade?

This thread has been viewed 0 times

  • 1.  Something broke with AOS upgrade?

    Posted Dec 03, 2014 10:08 AM

    We were using AOS 6.3.1.3 with CPPM 6.3.4 until this last Thursday.  We upgraded AOS to 6.3.1.13 while keeping CPPM the same version.  Monday morning, our Chromebooks could not use MAC authentication to get onto our open/CP SSID.  Nothing on CPPM changed (I triple checked the audit records).

     

    Our CPPM roles looked for "RADIUS: Aruba: Aruba-Device-Type contains Chrome OS" to assign a TIPS role of "ChromeOS Device".  The enforcement rules looked for the TIPS role of "ChromeOS Device" as well as another TIPS role indicating it was owned by us.  For whatever reason, the TIPS role was no longer being assigned to the chromeOS devices as it had been before the upgrade.

     

    Since the upgrade of AOS, I've also tried using "Endpoint repository :Device Name contains Chrome OS" and "Application: Clearpass: Device-Name equals Chrome OS" but nothing works.

     

    Is there any way to get information automatically from the device/authentication/authorization process to indicate a device is chromeOS?  Did the new AOS break something (as it appears to have done)?

     

    I know I can do all sorts of things with putting attributes on devices in the endpoint repository but I don't want to make changes which could cause our over 22000 Windows devices from working properly.  We using the owner attribute to ID all devices which belong to us which works fine as long as we can ID the ChromeOS.  Once that stopped working, we were left out in the cold.



  • 2.  RE: Something broke with AOS upgrade?

    Posted Dec 03, 2014 10:19 AM

    What does the controller send to CPPM fr the Aruba-Device-Type attribute?  You can see this on the Input tab of Access Tracker.

     

    When looking at the clients on the controller, what device type is listed for them?

     

    @pdavis wrote:

     

    Since the upgrade of AOS, I've also tried using "Endpoint repository :Device Name contains Chrome OS" and "Application: Clearpass: Device-Name equals Chrome OS" but nothing works.

     

    Are your devices profiled properly on CPPM to correctly idenity the Device Name?



  • 3.  RE: Something broke with AOS upgrade?

    EMPLOYEE
    Posted Dec 03, 2014 10:46 AM
    You should use both the controller and ClearPass profiles so you have a fallback.


  • 4.  RE: Something broke with AOS upgrade?

    Posted Dec 03, 2014 10:55 AM

    @Clembo, I'm not seeing anything for device type now from controller in the input tab.  AOS reports Chrome OS for them as expected.

     

    Are your devices profiled properly on CPPM to correctly idenity the Device Name? 

    Yes, they are showing up as Chrome OS.

     

     

    @Tim, Are you saying to leave all three types of TIPS role assignment?  I'm thinking that makes sense just in case as well.



  • 5.  RE: Something broke with AOS upgrade?

    EMPLOYEE
    Posted Dec 03, 2014 10:57 AM
    Yes. In your role map, change the rule to an OR/ANY and add multiple profile sources.


  • 6.  RE: Something broke with AOS upgrade?

    Posted Dec 08, 2014 02:25 PM

    Working with TAC on this one.  Something appears to be broken but we're not sure yet what is going on.

     

    Now for the surprise: According to what TAC is telling me, it appears what we were doing before the AOS upgrade wouldn't have worked.  But it was working or at least I don't remember making changes and don't see anything in audit trail indicating I changed anything either.