Security

last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Unknown NadCLient

This thread has been viewed 11 times

  • 1.  Unknown NadCLient

    Posted Jul 08, 2016 03:28 PM

    so I am seeing this and the user gets online, then when another user tries again 

    ERROR Common.NadClientTable - getNadClient: Unknown NadClient 10.17.5.10
INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: SALES Enforcement Profile

    Failed auth which is what I would expect.

    ERROR Common.NadClientTable - getNadClient: Unknown NadClient 10.17.5.10
INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=DENY
INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Deny Access Profile]

    Any ideas?

     

     



  • 2.  RE: Unknown NadCLient

    EMPLOYEE
    Posted Jul 08, 2016 03:33 PM

    Look in the audit/event viewer and see how often it really happens...



  • 3.  RE: Unknown NadCLient

    Posted Jul 08, 2016 04:00 PM
    There's nothing in there that's worth mentioning for this.

    Forgot to mention that the NAS IP address on the VC was incorrect and did not match the NAD in CPPM. That's why I am floored that authentications were allowed through.

    I would expect that all would fail since the NAS IP being sent does not match the NAD. Correct?


  • 4.  RE: Unknown NadCLient

    EMPLOYEE
    Posted Jul 08, 2016 04:03 PM
    NAS IP does not necessarily equal NAD IP.



    NAD IP should be defined as the source address or the RADIUS packet.


  • 5.  RE: Unknown NadCLient

    Posted Jul 08, 2016 04:36 PM
    In my case the NAS IP did not equal the NAD IP but I want it to, after we changed it, it started working but some auths were working for some accounts but not others.

    See http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Using-AD-Attributes-to-authenticate-users-at-one-location-vs/m-p/246456#M22108 for context as for user auths. National users worked but dealership users did not with the wrong NAS IP address configured.

    I'm still learning this behemoth so I apologize in advance.

    Where do I define it as the source address?


  • 6.  RE: Unknown NadCLient

    EMPLOYEE
    Posted Jul 08, 2016 04:38 PM
    If DRP is enabled, the source address will be the VC IP.



    If DRP is not enabled, the source address will be the individual IAP IP.


  • 7.  RE: Unknown NadCLient

    Posted Jul 08, 2016 04:47 PM
    DRP is not enabled

    Each location is its own network so the IAP IP can be the same at every site, that is why I am specifying the NAS IP address in the VC (as the VC IPs are the same at every site).