Security

Reply
New Contributor
Posts: 4
Registered: ‎08-13-2013

clearpass default route via mgmt. port

hi guys,

 

why does the default route for clearpass use the dataport not the mgmt port?

 

when i am downloading software updates ideally this traffic should go through the mgmt port on the AP port

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: clearpass default route via mgmt. port

[ Edited ]

Edit:  See Danny's technote reference for specifics....

 

When you use both ports, the data port is used as the default route (for non-specific services/functions; ie. out to the Internet).  You can add a static route to use the Management interface if you need to for certain destinations (for the update server for example).

 

network ip add mgmt -d x.x.x.x

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Moderator
Posts: 458
Registered: ‎11-09-2012

Re: clearpass default route via mgmt. port

Please review my (Service Routing) TechNote at the following link to get an absolute specific answer to the question about default routes. Its is not true that the DATA port is always used as the default route. We in effect have two VRF in CPPM but hopefully if you read the TechNote it should help you understsdn what routes where and what doesn't.

 

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor
Posts: 5
Registered: ‎03-28-2013

Re: clearpass default route via mgmt. port

[ Edited ]

Adding a static route to Clearpass can be tricky, that's why I would like to complete the previous answer.

Before adding a static route, pay attention of the routing rules already in place :

network ip list

 

Here you'll see some IP rule, and some of them concerns incoming trafic, like :

10020 : from all to 10.0.0.0/24 lookup mgmt

 

This basically means "for all incoming datagram going to 10.0.0.0/24 network, follow the mgmt interface and the default gateway".

 

If you add a static route without specifying a rule id (like this) : 

network ip add mgmt -d x.x.x.x

this will create an entry with id=12000 and you'll have a very uncommon behaviour :

 

- From the Clearpass itself, you will be able to join the destination (you pass the id=12000)

- From the distant subnet, you'll not be able to get reply from the ClearPass (you pass in the id=10020)

 

This could be very tricky, especially when you expect RADIUS reply (because you'll see the RADIUS request in the ACCESS TRACKER), but as the RADIUS reply paquet goes through the default gateway, you'll never get it from the NAS point of view...

 

So the definitive good way of adding a static route to ClearPass is to specify a rule ID wich takes precedences over the default incoming rules (for instance 500), so the command looks like :

 

network ip add mgmt -i 500 -d x.x.x.x/24 -g y.y.y.y

 

This way, both initiating and incoming communication will works.

Regards,

Laurent Asselin.

 

Regular Contributor I
Posts: 176
Registered: ‎12-17-2008

Re: clearpass default route via mgmt. port

Laurent, great answer. This explain my problem exactly.

Only question remaing is, why is clearpass routing so strange!?


--
ACMA ACMP
Search Airheads
Showing results for 
Search instead for 
Did you mean: