Search the Community
- ClearPass Recipe Review
- ClearPass Recipe Submission
- Admin Tool - Assign Role in Bulk
- Admin Tool - User Search
- CWNP Conf 2015
- Airheads Conference Vegas 2015
- Wlan Pro Conference 2015
- Airheads Conference Shanghai 2014
- WLAN Pro Conf EU 2014
- CWNP Conference 2014 (Sep 22 - 24)
- Airheads Local 2014
- Wireless Field Day 7 (Aug 6-8, 2014)
- Black Hat 2014 Contest
- Airheads EMEA Italy 2014 (June 9 - 13)
- Americas Airheads Conference 2014
- WLAN Professionals Summit 2014
- Airheads Roadshow 2013
- EMEA Airheads Conference 2013
- APJ Airheads Conference 2013
- Americas Airheads Conference 2013
- Americas Airheads Conference 2012
- APJ Airheads Conference 2012
- EMEA Airheads Conference 2012
- Airheads EMEA 2012 Contest: How to Enter - Contest Terms & Conditions
- Airheads EMEA 2012 Contest: Create your Entry to Win Here!
- Airheads Conferences Prior to 2012
- Americas Airheads Local Events 2012
- EMEA Airheads Local Events 2012
- Wireless Field Day 3 @ Aruba Networks
- Wireless Tech Field Day 2- Silicon Valley
- Wi-Fi Mobility Symposium- San Jose, CA USA
- SDN Apps
...; The simulator wants the environment variable VBOX_INSTALL_PATH latest virtual box...
Well you can always downgrade Virtualbox - I have had success in doing the following:
The simulator wants the environment variable VBOX_INSTALL_PATH latest virtual box uses a different name for the same concept - just copy the path in that variable to this one.
You find this under Control Panel\All Control Panel Items\System then choose the Advanced system settings button - Choose Environment Variables. For localized versions of Windows it can have other names
I use this document when I first try to configure comware syntax https...
I use this document when I first try to configure comware syntax
Great to hear! There is a newer version available. You can find it at https://hpepress.hpe.com/product/Aruba+HPE+Network
Captive portal support is a major benefit. Most vendors still don't have working captive portal su...Captive portal support is a major benefit. Most vendors still don't have
working captive portal support. User roles will be coming this year which
add user context instead of just VLAN.
You should see other features from the mobility access switch line in the
ArubaOS-Switches over the next year.
...please. I'll be deploying this this week and I dont have any lab comware switch so I just want to be...
Amazing, thanks !
Would you mind sharing your HPE-AOS-WIRED-GUEST service config please. I'll be deploying this this week and I dont have any lab comware switch so I just want to be sure :)
...portal for aruba IAP 105 and runnig successfull. Then I had tried HPE 5130 802.1x and this one...
I have already configure external self registration guest portal for aruba IAP 105 and runnig successfull.
Then I had tried HPE 5130 802.1x and this one running successfully finally i tried if 802.1x authentication
fail the user drop to guest/auth-fail vlan and related vlan configured portal authentication and I configured clearpass guest as a external portal I have a problem when I create self-registration portal because I couldn't find HPE/H3C(Comwareve) vendor settings.
When users authentication fail users drop to guest/auth-fail vlan and redirect to clearpass self-registration page but when I register a guest and press the login button anythings happen and same page appears.
Switch NAS ID: 192.168.2.41
Radius(ClearPass) : 192.168.2.211 (guest.bilgibim.corp)
My switch configuration is the following :
description *** Bilgibim Guest ***
ip address 172.16.3.1 255.255.255.0
dhcp select relay
dhcp relay server-address 192.168.2.203
portal enable method direct
portal apply web-server ClearPass
description ***Aydin KOCAK***
undo dot1x handshake
dot1x mandatory-domain bilgibim.com.tr
dot1x port-method portbased
dot1x guest-vlan 3
dot1x auth-fail vlan 3
radius scheme bilgibim
primary authentication 192.168.2.211 key cipher $c$3$XYsBAKLajI5vmRRy8Momaxpovy2PdEvrOxcr8w==
primary accounting 192.168.2.211 key cipher $c$3$/Sze6gM9U14Qv862rJQK6+o9wyc7OPPpgVTP7g==
authentication lan-access radius-scheme bilgibim local
authorization lan-access radius-scheme bilgibim local
accounting lan-access radius-scheme bilgibim local
domain default enable bilgibim.com.tr
portal free-rule 0 source ip 172.16.3.0 255.255.255.0 destination ip 192.168.2.0 255.255.255.0
portal free-rule 5 source ip 192.168.2.0 255.255.255.0 destination ip 172.16.3.0 255.255.255.0
portal web-server ClearPass
Would you mind sharing me more details on you set-up ? I'm trying to configure about the same with a 5130ei and Comware 7. It just won't fallback to guest or auth-fail VLAN. Also the Captive portal doesnt get redirected.
...-rules on the box. The only thing you have to define is the ACL because Comware doesn't...
Here's the modern way to do the portal redirect, the server initiated way (CPPM pushes down portal/ACL info) based on an unknown host.. In this method you don't have to do the portal or portal free-rules on the box.
The only thing you have to define is the ACL because Comware doesn't support downloadable ACLs at this time. In the ACL you can open them up to the wide IP or you can specify them down to the port levels, in the example below its a mix. I'm using port-security in this example below, but it makes no difference if you're using mac-auth/dot1x without port-security.
I'll follow up on the CPPM config in another post:
dot1x authentication-method eap
port link-type hybrid
port hybrid vlan 1
undo dot1x handshake
dot1x mandatory-domain cppm
undo dot1x multicast-trigger
mac-authentication domain cppm
port-security port-mode mac-else-userlogin-secure-ext
acl number 3001 name PORTAL-REDIRECT
rule 0 permit ip destination 172.16.1.12 0 <- CPPM Server
rule 1 permit ip destination 192.168.1.1 0 <- Gateway to PING Check
rule 2 permit ip destination 10.1.1.1 0 <- DNS server
rule 5 permit udp destination-port eq bootp <- Permit DHCP
radius session-control enable
radius scheme cppm
primary authentication 172.16.1.12
primary accounting 172.16.1.12
key authentication simple radius
key accounting simple radius
radius dynamic-author server
client ip 172.16.1.12 key simple radius
authentication lan-access radius-scheme cppm
accounting default radius-scheme cppm
authorization default radius-scheme cppm
[HPE]display mac-authentication connection
Slot ID: 1
User MAC address: 6431-50a1-8e3d
Access interface: GigabitEthernet1/0/1
Authentication domain: 8021x
Initial VLAN: 1
Authorization untagged VLAN: N/A
Authorization tagged VLAN: N/A
Authorization ACL ID: 3001
Authorization user profile: N/A
Authorization URL: https://172.16.1.12/guest/hpeaoswiredguest.php
Termination action: N/A
Session timeout period: N/A
Online from: 2016/06/08 02:32:27
Online duration: 0h 0m 2s
...RADIUS. Rename it to XML and it should import. Comware Server Portal.PNG - This is the profile I...
Here's some screencaps for you to view.. Hopefully they come through okay (newbie to Airheads posting)..
H3C RadiusDictionary.txt that you need to import and enable for RADIUS. Rename it to XML and it should import.
Comware Server Portal.PNG - This is the profile I use, in here it references the CPPM guest page and sends down the ACL to the switch. I ommitted the overall enforcement policy, but I have this as my default profile for the policy. It's a catch-all basically.
WebAuth-Service.PNG - Service the connection matches
WebAuth_GuestPage.PNG - This is how I have the guest page setup.
WebAuth-Successful.PNG - This is how you'll see it in the access tracker.
So the way it works is that in my service for wired mac-auth I have the permitted permissions to get on the network, then the catch all for portal. When the catch-all is hit, it sends down the portal and ACL to the switch which triggers the redirect. The PC then browses to the guest portal and I login with my guest user/pass.
The portal page will then do a webauth (make sure you have a webauth service setup too) so that the authentication is done and it will cache your session with the guest role. It will also send a COA disconnect back to the switch which will cause a re-auth. Once the switch re-auth's back to CPPM again it will have the cached guest role which then matches the permitted condition.
Hope this helps and makes sense, if not let me know and I can clarify more.
Hello. Does anyone have any answers on the above question or did you get it working??. I am trying the same and cant get the portal page to send the username and password back to the switch.
I have set up a new registration page and set the login vendor settings to all of the three HP options one at a time but no luck. I am assuming it’s the Unified Wired-wlan settings I require?
Latest cppm 6.6 and latest comware 7.1 on 5130ei
Thanks for the reply. I still need assistance please. I Have all the 802.1x and mac auth working its just the captive portal peice i am strugling with. I have the clients being redirected and getting the captive portal hosted on the CPPM server. As soon as they enter the username and passwords nothing happens. I could not find any info about the configuration needed on the clearpass side. I am unsure of what i need to set on the cppm login page. Or i could be missing something on the comware side.
thanks in advance
...-COMWARE service. 2 - The ACL 3001 is applied with also a URL redirect to Clearpass which includes the...
Thanks a lot for these informations, I will try it for sure !
Just to recap on my side and make sure I fully understand could you validate that im right with the auth process ?
1 - A laptop connects to a edge port, fails 802.1x, fails MAC auth and then hits the MAC-AUTH-PORTAL-COMWARE service.
2 - The ACL 3001 is applied with also a URL redirect to Clearpass which includes the laptop's MAC address in URL
3 - The laptop is presented with captive portal page and authenticates against any choosen DB and is applied the guest role in your set-up
4 -Clearpass COA disconnects the laptop
5 - The laptop goes through the authentication process again but this time matches the wired-mac-auth service with it's cached attributes
(MAC and role) then gets an ACCEPT on the MAC authentication
...a 'change status' button that you can click on and go terminate the session. Select that HPE...
So there's a few ways we can tackle this..
We can do a packet capture to see if the CoA messages are going out, or we can do it via debug.
For the debug method go into the switch and do 'debug radius all' then do 'term debug and term mon'
Then connect a PC up and let it get authenticated, and go into the access track in Clearpass. Then at the bottom of that box there is a 'change status' button that you can click on and go terminate the session. Select that HPE terminate session profile and then submit it.. If successful you should then see a bunch of debug spit out on the switch console.. If that fails then we need to look at other areas, something isn't configured right.
Here's an example of what you will see..
<HPE>*Oct 17 15:59:02:317 2016 HPE RADIUS/7/EVENT:
Received DAE request packet successfully.
*Oct 17 15:59:02:320 2016 HPE RADIUS/7/PACKET:
Event-Timestamp="Oct 17 2016 15:59:00 UTC"
*Oct 17 15:59:02:321 2016 HPE RADIUS/7/PACKET:
28 c4 00 47 ad 4c dd 9b b8 9d 1c b7 43 f1 a9 f7
f6 7a 20 61 01 0e 36 34 33 31 35 30 61 31 38 65
33 64 1f 13 36 34 2d 33 31 2d 35 30 2d 41 31 2d
38 45 2d 33 44 04 06 c0 a8 01 19 05 06 01 00 10
02 37 06 58 04 f5 44
%Oct 17 15:59:02:330 2016 HPE MACA/6/MACA_LOGOFF: -IfName=GigabitEthernet1/0/1-MACAddr=6431-50a1-8e3
d-VLANID=2-Username=643150a18e3d-UsernameFormat=MA C address; MAC authentication user was logged off.
...for HPE, maybe they don't apply because of this ? I remember from the "Change Status" menu, I...
Thank you for the answer !
I think I found what I did wrong but can't try it today, maybe you can confirm. When I created the Device I selected H3C for vendor name. The Enforcement profiles are for HPE, maybe they don't apply because of this ?
I remember from the "Change Status" menu, I had no COA available, probly because of this except the generic one I created.
...-RFP However these are the old Aruba part numbers, not sure if they match up to the HPE...
You will need the AP and PEF license at the minimum.
Additionlaly if you want to play around with any of the IDS/IPS settings you will also need RF Protect
However these are the old Aruba part numbers, not sure if they match up to the HPE equivilant.
You will need one of each license for each AP you want to have active simultaniously on your controller.
Are you partnered with Aruba? if so you should be able to get an Eval license, or purchase an NFR a...
Are you partnered with Aruba? if so you should be able to get an Eval license, or purchase an NFR at a discount. If you are not a partner you would need to contact a partner to purchase a license. You'd probably only need license for 1-2 access points, so it shouldn't cost too much.
The controller should be fine for studying. You can do the majority. Just make sure to read some product guides and verified reference design guides as well.