Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

clearpass default route via mgmt. port

This thread has been viewed 44 times

  • 1.  clearpass default route via mgmt. port

    Posted Jul 20, 2014 09:25 PM

    hi guys,

     

    why does the default route for clearpass use the dataport not the mgmt port?

     

    when i am downloading software updates ideally this traffic should go through the mgmt port on the AP port



  • 2.  RE: clearpass default route via mgmt. port
    Best Answer

    Posted Jul 20, 2014 09:53 PM

    Edit:  See Danny's technote reference for specifics....

     

    When you use both ports, the data port is used as the default route (for non-specific services/functions; ie. out to the Internet).  You can add a static route to use the Management interface if you need to for certain destinations (for the update server for example).

     

    network ip add mgmt -d x.x.x.x



  • 3.  RE: clearpass default route via mgmt. port
    Best Answer

    Posted Jul 20, 2014 11:47 PM

    Please review my (Service Routing) TechNote at the following link to get an absolute specific answer to the question about default routes. Its is not true that the DATA port is always used as the default route. We in effect have two VRF in CPPM but hopefully if you read the TechNote it should help you understsdn what routes where and what doesn't.

     

    http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961



  • 4.  RE: clearpass default route via mgmt. port

    Posted Nov 03, 2015 10:17 AM

    Adding a static route to Clearpass can be tricky, that's why I would like to complete the previous answer.

    Before adding a static route, pay attention of the routing rules already in place :

    network ip list

     

    Here you'll see some IP rule, and some of them concerns incoming trafic, like :

    10020 : from all to 10.0.0.0/24 lookup mgmt

     

    This basically means "for all incoming datagram going to 10.0.0.0/24 network, follow the mgmt interface and the default gateway".

     

    If you add a static route without specifying a rule id (like this) : 

    network ip add mgmt -d x.x.x.x

    this will create an entry with id=12000 and you'll have a very uncommon behaviour :

     

    - From the Clearpass itself, you will be able to join the destination (you pass the id=12000)

    - From the distant subnet, you'll not be able to get reply from the ClearPass (you pass in the id=10020)

     

    This could be very tricky, especially when you expect RADIUS reply (because you'll see the RADIUS request in the ACCESS TRACKER), but as the RADIUS reply paquet goes through the default gateway, you'll never get it from the NAS point of view...

     

    So the definitive good way of adding a static route to ClearPass is to specify a rule ID wich takes precedences over the default incoming rules (for instance 500), so the command looks like :

     

    network ip add mgmt -i 500 -d x.x.x.x/24 -g y.y.y.y

     

    This way, both initiating and incoming communication will works.

    Regards,

    Laurent Asselin.

     



  • 5.  RE: clearpass default route via mgmt. port

    Posted May 11, 2016 06:33 AM

    Laurent, great answer. This explain my problem exactly.

    Only question remaing is, why is clearpass routing so strange!?



  • 6.  RE: clearpass default route via mgmt. port

    Posted May 04, 2017 07:36 AM
    Spoiler
    Is there anyway to add 2 default routes?  We created 2 vlans on CPPM Mgmt and need to add 2 d 0/0 and we get the error Failed to add route.  In a normal unix machine you can add two default routes on 2 vlans.