Security

Reply
Frequent Contributor II
Posts: 110
Registered: ‎12-07-2007

Something broke with AOS upgrade?

We were using AOS 6.3.1.3 with CPPM 6.3.4 until this last Thursday.  We upgraded AOS to 6.3.1.13 while keeping CPPM the same version.  Monday morning, our Chromebooks could not use MAC authentication to get onto our open/CP SSID.  Nothing on CPPM changed (I triple checked the audit records).

 

Our CPPM roles looked for "RADIUS: Aruba: Aruba-Device-Type contains Chrome OS" to assign a TIPS role of "ChromeOS Device".  The enforcement rules looked for the TIPS role of "ChromeOS Device" as well as another TIPS role indicating it was owned by us.  For whatever reason, the TIPS role was no longer being assigned to the chromeOS devices as it had been before the upgrade.

 

Since the upgrade of AOS, I've also tried using "Endpoint repository :Device Name contains Chrome OS" and "Application: Clearpass: Device-Name equals Chrome OS" but nothing works.

 

Is there any way to get information automatically from the device/authentication/authorization process to indicate a device is chromeOS?  Did the new AOS break something (as it appears to have done)?

 

I know I can do all sorts of things with putting attributes on devices in the endpoint repository but I don't want to make changes which could cause our over 22000 Windows devices from working properly.  We using the owner attribute to ID all devices which belong to us which works fine as long as we can ID the ChromeOS.  Once that stopped working, we were left out in the cold.

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Something broke with AOS upgrade?

What does the controller send to CPPM fr the Aruba-Device-Type attribute?  You can see this on the Input tab of Access Tracker.

 

When looking at the clients on the controller, what device type is listed for them?

 


pdavis wrote:

 

Since the upgrade of AOS, I've also tried using "Endpoint repository :Device Name contains Chrome OS" and "Application: Clearpass: Device-Name equals Chrome OS" but nothing works.

 


Are your devices profiled properly on CPPM to correctly idenity the Device Name?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Something broke with AOS upgrade?

You should use both the controller and ClearPass profiles so you have a fallback.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 110
Registered: ‎12-07-2007

Re: Something broke with AOS upgrade?

@Clembo, I'm not seeing anything for device type now from controller in the input tab.  AOS reports Chrome OS for them as expected.

 

Are your devices profiled properly on CPPM to correctly idenity the Device Name? 

Yes, they are showing up as Chrome OS.

 

 

@Tim, Are you saying to leave all three types of TIPS role assignment?  I'm thinking that makes sense just in case as well.

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Something broke with AOS upgrade?

Yes. In your role map, change the rule to an OR/ANY and add multiple profile sources.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 110
Registered: ‎12-07-2007

Re: Something broke with AOS upgrade?

Working with TAC on this one.  Something appears to be broken but we're not sure yet what is going on.

 

Now for the surprise: According to what TAC is telling me, it appears what we were doing before the AOS upgrade wouldn't have worked.  But it was working or at least I don't remember making changes and don't see anything in audit trail indicating I changed anything either.

Search Airheads
Showing results for 
Search instead for 
Did you mean: