Security

Reply
Frequent Contributor I

Wired 802.1X - Accept on CPPM, failed on client

Hi, Hope someone came across this before. We setup Wired 802.1X for a customer trying to do machine authentication. Certificate is loaded onto test laptop, service created on ClearPass. CPPM Service: Authentication -> [EAP PEAP], [EAP TLS]; Enforcement Policy -> Certificate:Issuer CN - Contains - (CN from RADIUS certificate) Windows 7 client: "Enable IEEE 802.1X authentication" box ticked; Authentication Method -> Smart Card or other certificate; Settings: "Use a certificate on this computer" radio button selected, "Use simple certificate selection" box ticked, "Validate server certificate" box ticked; Advanced Settings -> Computer authentication After connecting laptop to a wired port (HPE 2930 switch) Access Tracker is showing that authentication went OK (Login Status is "Accept"), but client device is showing "Authentication failed"?!?! Thanks in advance for any ideas. Regards, NesaM
Regards,
NesaM --ACMP, ACCP--

Re: Wired 802.1X - Accept on CPPM, failed on client

Please the instructions in Cappalli’s ClearPass wired guide:

http://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/m-p/298161


Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I

Re: Wired 802.1X - Accept on CPPM, failed on client

Hi Victor,

 

I have read the guide, and tried to follow the instructions. What seemed to be a problem in my case was that although I defined user-role on switch that was referencing to my Enforcement Profile on CPPM (together with specifying VLAN ID where I wanted to send my client device), predefined user-role (denyall) was taking over and enforcing itself. After disabling user-roles completely test laptop was placed in proper VLAN.

 

As I would still want to implement user-roles (even DURs, if possible), I am looking at why was denyall the only one applied. Thanks.

 

 

 

Regards, NesaM

Regards,
NesaM --ACMP, ACCP--

Re: Wired 802.1X - Accept on CPPM, failed on client

What version are you running on the switch ?



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I

Re: Wired 802.1X - Accept on CPPM, failed on client

Hi,

 

It is 16.05.

 

 

Regards,

NesaM

Regards,
NesaM --ACMP, ACCP--
Frequent Contributor I

Re: Wired 802.1X - Accept on CPPM, failed on client

Bit more information on this one. After running debug during authentication, we noticed this:

 

"0029:06:56:19.60 1X   m8021xCtrl:Failed to apply user role  to 8021X client

   40B0340E7E61 on port 1/20: user role is invalid"

 

There were two roles on our test switch, first one denyall (predefined), and the role XXXXX-Corporate, that is in effect Enforcement Profile on CPPM for type of device we were testing. the quoted debug line was showing us that denyall role was being pushed on the port, thus killing of authentication. Quick and dirty fix was to disable user-role, which made test laptop to authenticate on CPPM straight away (and to get on the network without issues). 

 

However, this raises new set of questions (I am just looking into documentation to try to figure it out):

 

  1. Why was XXXXX-Corporate role not being applied in our case, but only denyall one as initial?
  2. What should have been type of XXXXX-Corporate role in working solution, local (as it is currently showing on the switch) or something else?
  3. What have we lost by disabling user-role in 802.1X, and is that impacting only functionality or security as well?
  4. Can we apply Downlodable User Roles in our case (HPE 2920 switch with 16.05 firmware), and in this case should we as Product use ArubaOS-Switch or Aruba Mobility Switch?

Hope that I am not widening this topic too much, and that someone will be able to chip in.

 

 

Regards,

NesaM

Regards,
NesaM --ACMP, ACCP--
Guru Elite

Re: Wired 802.1X - Accept on CPPM, failed on client

1) If you're seeing invalid role, then there something wrong with the contents of your DUR. Are you using Standard or Advanced mode?

2) Downloaded

3) User-roles are global. You lose role-based visibility and enforcement, simplified policy creation and overall flexibility. It is not recommended to run without user roles.

4) Downloadable user roles are not supported on the 2920. Local user roles are, however.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Wired 802.1X - Accept on CPPM, failed on client


@cappalliwrote:

1) If you're seeing invalid role, then there something wrong with the contents of your DUR. Are you using Standard or Advanced mode?

2) Downloaded

3) User-roles are global. You lose role-based visibility and enforcement, simplified policy creation and overall flexibility. It is not recommended to run without user roles.

4) Downloadable user roles are not supported on the 2920. Local user roles are, however.

Hi Tim,

 

In reply to your answers:

1) I was not using DURs, but creating user-role on the switch myself (in the light of your answer under 4) this was the only way of doing it :-)) using command "

aaa authorization user-role name <ENFORCEMENT-PROFILE as created on CPPM>

vlan-id <VLAN-ID>

exit "

2) As role was created locally, than role type I am seeing is OK (Thanks)

3) (Thanks for explanation)

4) (Thanks for explanation)

 

In the light of you answer under 4), and my original problem where predefined role (denyall) was taking precedence when authentication request was made, would you be able to tell me (or, point me in the direction of material explaining it) how should I make role(s) I created getting applied before predefined one? Thanks.

 

 

Regards,

NesaM

Regards,
NesaM --ACMP, ACCP--
Guru Elite

Re: Wired 802.1X - Accept on CPPM, failed on client

Did you follow the ClearPass Solution Guide for Wired Policy Enforcement? It goes through all of this step by step.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: