Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

mac caching 3600 controller

This thread has been viewed 0 times

  • 1.  mac caching 3600 controller

    Posted Aug 31, 2016 08:36 AM

    Hello,

    We have on our 3600 Aruba controller (6.4.3.4 code and AP105) a MAC caching setup.   The username and passwords of the macs, in the proper format were entered into the internal database, the AAA profile setup, etc.  The client (windows laptop) connects and shows auth type MAC on the controller.  The client is able to communicate on the network for a while (when I click on status on the monitoring tab for clients, I see the user firewall state entries).   Then eventually the client loses communications.  I still see the client in the clients / monitoring tab, but when I status them, i see nothing at all for user firewall state. I can get them communicating again by disconnecting the client and immediately they are restored to normal communications, (for a while) but then the problem happens again.  

     

    The same windows client was able to consistently work when he used the captive portal method on the controller so I don't believe it's necessarily the client.

     

    I tried putting a check mark in the "reauthentication" box in the AAA profile but that didn't seem to make a difference.

     

    What else could I look for?

     

    Thank you,

    Sarah

     

     



  • 2.  RE: mac caching 3600 controller

    Posted Aug 31, 2016 08:58 AM

    Can you share the results of "show righs <Name-of-Role>" for the devices that pass MAC Authentication?   



  • 3.  RE: mac caching 3600 controller

    Posted Aug 31, 2016 09:02 AM

    Sure, here goes

     

    (3600_Controller) #show rights class_role

     

    Valid = 'Yes'

    CleanedUp = 'No'

    Derived Role = 'class_role'

     Up BW:No Limit   Down BW:No Limit

     L2TP Pool = default-l2tp-pool

     PPTP Pool = default-pptp-pool

     Number of users referencing it = 15

     Periodic reauthentication: Disabled

     DPI Classification: Enabled

     Youtube education: Disabled

     Web Content Classification: Enabled

     ACL Number = 62/0

     Max Sessions = 65535

     

     Check CP Profile for Accounting = TRUE

     

    Application Exception List

    --------------------------

    Name  Type

    ----  ----

     

    Application BW-Contract List

    ----------------------------

    Name  Type  BW Contract  Id  Direction

    ----  ----  -----------  --  ---------

     

    access-list List

    ----------------

    Position  Name                   Type     Location

    --------  ----                   ----     --------

    1         global-sacl            session

    2         apprf-class_role-sacl  session

    3         class_policy           session

     

    global-sacl

    -----------

    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

    apprf-class_role-sacl

    ---------------------

    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

    class_policy

    ------------

    Priority  Source                      Destination        Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

    --------  ------                      -----------        -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

    1         (the class network) 255.255.255.0  Internal Networks  any                   deny               Yes           Low                                                           4

    2         any                         any                any                   permit                           Low                                                           4

     

    Expired Policies (due to time constraints) = 0

     



  • 4.  RE: mac caching 3600 controller

    EMPLOYEE
    Posted Aug 31, 2016 09:10 AM

    The reauthentication checkbox does not matter.

     

    What does matter is that you don't have an "any any service dhcp permit" policy somewhere at the top.  Initial DHCP request is not to an internal server, but DHCP renewals are, so you need to allow dhcp before you block traffic to internal servers.



  • 5.  RE: mac caching 3600 controller

    Posted Aug 31, 2016 09:12 AM

    Okay. Thank you.  I will give it a try.



  • 6.  RE: mac caching 3600 controller

    Posted Sep 07, 2016 02:03 PM

    I think putting the recommended entry has madea difference.  It doesn't seem to be as often that things are disconnecting. But we are still getting reports of loss of connectivity (from the client end they dont' have an IP (get an apipa address)).

    They get DHCP from the 3600 controller.

     

    For the internal database i put them in upper case with hyphens.

    For the MAC Authentication profile I put things in the format with uppercase and hypens, here are the settings.

     

    Delimeter (dash)

    Case - upper

    Max Auth Failures 0

    Reauth - checked

    Reauth interval 86400 sec

    Use server provided reauth interval (unchecked)

     

     

    I did see this error in the log from today.   Would it make any difference to put things in lower case with colons?  Trying to figure out what still should be tweaked.   

     

    Sep 7 12:33:36 :522275:  <ERRS> |authmgr|  User Authentication failed. username=F8-16-54-BE-41-8C  userip=0.0.0.0 usermac=f8:16:54:be:41:8c servername=Internal serverip=X.X.X.X Name=WAP_AP105 bssid=(mac address here)

     

    Thank you



  • 7.  RE: mac caching 3600 controller

    Posted Aug 31, 2016 09:26 AM
    @SBS wrote:

     

    class_policy

    ------------

    Priority  Source                      Destination        Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

    --------  ------                      -----------        -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

    1         (the class network) 255.255.255.0  Internal Networks  any                   deny               Yes           Low                                                           4

    2         any                         any                any                   permit                           Low                                                           4

     

    Expired Policies (due to time constraints) = 0

     

    As Colin was suggesting; your #1 rule is likely prohibiting your DHCP renewals.

     

    Add the following ahead of your rule #1

     

    user any udp 68 deny

    any any svc-dhcp permit

    ..........(then your entries)



  • 8.  RE: mac caching 3600 controller

    Posted Aug 31, 2016 09:29 AM

    Good deal, many thanks