Wireless Access

Working with a customer and they have a 7220 controller and clearpass. 7220 is running 6.3-FIPS and we are attempting to do MAC authentication to ClearPass (services pre-built for HP). When we configured the MAC Authentication Profile and Server Group. The SSID is set to open (I believe that is needed for mac auth). 

We are bridging users at the AP onto the different VLANs on the AP's trunk uplink port due to scattered VLANs in different buildings and they have wired mac authentication as well, so we should see a wireless mac auth in clearpass and a wired mac auth, but nothing is hitting at all. If we remove the mac auth profile and server group we can connect no problem and wired mac auth is successful.

Any ideas what I might be missing here?

None related to RADIUS communication. We have RADIUS admin login working successfully so I know they can talk, but we just are not seeing the request come in.

Make sure that you have assigned the mac auth profile and that the key between the two matches

Thanks for the help, it seems I didn't check L2 authentication failthrough and I didn't realize the user roles we were giving out did not have any firewall rules applied and were getting deny all. Users were then hitting clearpass and on successful auth getting IP.

Another question though, we moved the AP into another subnet, only 2 hops to the controller (gateway, core, controller) and we have a device in the same subnet that can ping the aruba controller. However, the AP-225 keeps going from up to down to up to down, but not rebooting. Does anyone know why this is might be happening now? CPSec is enabled, but auto cert provision and all is checked.

You may want to look at a couple of things that might explain what's going on:

Controller:

- show log system all | include <ap mac address>

- show log errorlog all | include <ap mac address>

- show ap debug system-status ap-name <ap name>

AP:

Console into the AP and see if you see anything interesting.

Is that the only AP in that VLAN ?