Wireless Access

Hi Everyone,

 

I'm new to Aruba Wireless and ClearPass. I have experience with CISCO Wireless.I have a query:

 

I have done 802.1x authentication using EAP-PEAP-MSCHAv2 using Aruba ClearPass as the Authentication server and Aruba Mobility Controller.

I integrated my AD with the ClearPass and downloaded the certificate from AD CS to the controller. I gave default enforcement profile and enforcement Policy.

 

Authentication is working fine and i could see in  the access tracker that the domain PC is authenticated.

But the problem is i dont have PEFNG Licensce in my controller and as a result i cannot create a user role in my Aruba Controller. So after authentication i can see that  the users are falling to GUEST Role and these users are not able to access internal servers or share folders or internet.

They can ping the internal Resources but not able to access it.

 

What might be causing issue?

 

Is there any way to create a user role and access lists for this user in the Aruba ClearPass and enforce it on the 802.1X SSID?? so that i can get away without purchasing the PEFNG License.

 

Any suggestions or advices would be really helpul as my manager is my eating my head over this.

 

Thank you.

If you do not have the PEFNG license, all users should be allowed to go anywhere.  The label of the role "guest" is just a courtesy and allows all traffic.

Hi Colin,

 

Thanks a lot for your feedback.

 

So in my scenario, i just created a SSID for 802.1X PEAP authentication. I didnt create any user roles. When i created the AAA profile i gave initial role as logon and since i don't have PEF license i didn't see the option of 802.1X authentication default role. 

It was authenticating with AD username and password successfully but it couldn't access internet or internal sharefolder.

 

In our Network only domain users can access the internet and since we authenticated successfully it should work right?

The Aruba TAC checked and told me that post authentication the users are falling into guest role. Is there anyway we could check that in controller or clearpass to which role they are falling into?

 

So even without PEF License can we make it work by giving default role as it is?

 

I followed the below link to configure my WLC and ClearPass for 802.1x authentication:

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-enable-Dot1x-authentication-on-Aruba-controller-for-CPPM/ta-p/191875

 

Thank You.

 

 

The user table should tell you what role.  Without the PEF license, authenticated users show up with the guest role, and no traffic should be blocked at all.  It doesn't matter what you put in the AAA profile.

Hi Colin,

Is there a any any rule for the default role (guest role) which allows traffic to go anywhere by default?
With PEF license we can create user roles which can be created with specific custome firewall policy and without PEF license it is allow all policy. Am i right?

Thank You.

Yes.  Without the PEF license there should be no restrictions.

Hi Colin,

Thanks alot for your help.

Today i was able to resolve the issue. It was actually due to bug in Aruba OS 6.5.1.7. After upgrading to 6.5.3.3 everything seems working and fine.

Thank You.