Wireless Access

Reply
MVP
Posts: 395
Registered: ‎05-09-2013

MAC Auth not hitting ClearPass

Working with a customer and they have a 7220 controller and clearpass. 7220 is running 6.3-FIPS and we are attempting to do MAC authentication to ClearPass (services pre-built for HP). When we configured the MAC Authentication Profile and Server Group. The SSID is set to open (I believe that is needed for mac auth). 

 

We are bridging users at the AP onto the different VLANs on the AP's trunk uplink port due to scattered VLANs in different buildings and they have wired mac authentication as well, so we should see a wireless mac auth in clearpass and a wired mac auth, but nothing is hitting at all. If we remove the mac auth profile and server group we can connect no problem and wired mac auth is successful.

 

Any ideas what I might be missing here?


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: MAC Auth not hitting ClearPass

Do you see any errors in the event log?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 395
Registered: ‎05-09-2013

Re: MAC Auth not hitting ClearPass

None related to RADIUS communication. We have RADIUS admin login working successfully so I know they can talk, but we just are not seeing the request come in.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: MAC Auth not hitting ClearPass

Make sure that you have assigned the mac auth profile and that the key between the two matches

2014-10-28 09_21_07-Authentication Profiles.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 395
Registered: ‎05-09-2013

Re: MAC Auth not hitting ClearPass

Thanks for the help, it seems I didn't check L2 authentication failthrough and I didn't realize the user roles we were giving out did not have any firewall rules applied and were getting deny all. Users were then hitting clearpass and on successful auth getting IP.

 

Another question though, we moved the AP into another subnet, only 2 hops to the controller (gateway, core, controller) and we have a device in the same subnet that can ping the aruba controller. However, the AP-225 keeps going from up to down to up to down, but not rebooting. Does anyone know why this is might be happening now? CPSec is enabled, but auto cert provision and all is checked.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: MAC Auth not hitting ClearPass

You may want to look at a couple of things that might explain what's going on:

Controller:

- show log system all | include <ap mac address>

- show log errorlog all | include <ap mac address>

- show ap debug system-status ap-name <ap name>

 

AP:

Console into the AP and see if you see anything interesting.

 

Is that the only AP in that VLAN ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: