Search the Community
- ClearPass Recipe Review
- ClearPass Recipe Submission
- Admin Tool - Assign Role in Bulk
- Admin Tool - User Search
- CWNP Conf 2015
- Airheads Conference Vegas 2015
- Wlan Pro Conference 2015
- Airheads Conference Shanghai 2014
- WLAN Pro Conf EU 2014
- CWNP Conference 2014 (Sep 22 - 24)
- Airheads Local 2014
- Wireless Field Day 7 (Aug 6-8, 2014)
- Black Hat 2014 Contest
- Airheads EMEA Italy 2014 (June 9 - 13)
- Americas Airheads Conference 2014
- WLAN Professionals Summit 2014
- Airheads Roadshow 2013
- EMEA Airheads Conference 2013
- APJ Airheads Conference 2013
- Americas Airheads Conference 2013
- Americas Airheads Conference 2012
- APJ Airheads Conference 2012
- EMEA Airheads Conference 2012
- Airheads EMEA 2012 Contest: How to Enter - Contest Terms & Conditions
- Airheads EMEA 2012 Contest: Create your Entry to Win Here!
- Airheads Conferences Prior to 2012
- Americas Airheads Local Events 2012
- EMEA Airheads Local Events 2012
- Wireless Field Day 3 @ Aruba Networks
- Wireless Tech Field Day 2- Silicon Valley
- Wi-Fi Mobility Symposium- San Jose, CA USA
- SDN Apps
- Connector Translation Testing area
Hi anyone, right now I'm facing a problem that the policy server sertvice is crashing righ...
right now I'm facing a problem that the policy server sertvice is crashing right after an AV update.
Is there a way to download old AV versions and import them?
...; Server Configuration -> Click on the name of the server -> Services Control -> Check for...
Answer from HPE Aruba support:
ClearPass Team releases Posture and Profile Data Updates on an hourly basis.
The Posture and Profile Data update version 1.48743 which was released today had caused the Policy Service to crash causing authentication issues.
A defect RM42553 has been created for this issue.
The Dev Team has released an update 1.48751 which has resolved the issue.
Please ensure that the update 1.48751 is installed and the Policy Service is running on all the servers in the cluster, by following the below stated steps.
· To install AV/AS Update version 1.48751, Please navigate to ClearPass Policy Manager GUI -> Administration-> Agents and Software Updates -> Software Updates page -> Click on 'Check Status Now".
· Please navigate to ClearPass Policy Manager GUI -> Administration -> Server Manager -> Server Configuration -> Click on the name of the server -> Services Control -> Check for the status of the Policy server.
· If the status is Stopped, please click on the Start button next to it, to start the service.
Please hit save on your software update page and get the latest AV update. Should be now at 1.48751...
Please hit save on your software update page and get the latest AV update. Should be now at 1.48751. start service if not already started.
See note above
Hi, after upgrade to release 8.2.5, I see in the System - Event Log this entry: R...
after upgrade to release 8.2.5, I see in the System - Event Log this entry:
Restarting service Clarity Synthetic
Every 15 seconds. Is it impacting in the service? How can disable it?
From Aruba TAC gave me the solution, disable and re enable VisualRF service solved the problem. ...
From Aruba TAC gave me the solution, disable and re enable VisualRF service solved the problem.
...; What do I set for privilege level? What do I set for selected services? What do I set for...
I was wondering if you could advise me on how to setup a TACACs service on Clearpass.
The TACACs service would be used to authenticate users who want to log into switches with their AD account. The switches are Alcatel switches.
When I go to setup the service for TACACs. I select the “TACACS+ Enforcement” I am not sure how to setup the service rule/conditions that deals authentication requests coming from a device, but have come up with the following:
Would this service rule work:
Value= This would be a static host list that has been created
I will then also enable “Authorization”
The static host list would be created based on subnet.
The authentication would then be AD
The authorization would then be AD
The roles would then be if “Authorization:AD:member of contains Technical”
I am not sure what would be used for enforcement as when I go to create this I get the following. Please see attached picture.
What do I set for privilege level?
What do I set for selected services?
What do I set for authorize attribute service?
What do I set for service attributes?
What do I then set up for Enforcement policies?
I hope the above make senses and you guys can advise me further?
And another example for ArubaOS switch in this video: http://community.arubanetworks.com/t5/Video...
And another example for ArubaOS switch in this video:
Alcatel switch manual is here. It doesn't mention special requirements, so returning privilege level 15 and service Shell would be my first try. Then under commands 'Permit unmatched commands'. That is the pretty basic. Some switches require more specific information, like in the video we had to add priv-lvl=15 as a Service attribute to skip the enable prompt; but that is for ArubaOS switches specific.
Hope this helps you in the right direction.
I'm trying to create two separate services that are very similar. One of them is for a group...
I'm trying to create two separate services that are very similar. One of them is for a group of vendors, the other is for our internal IT employees. What I'd like to do is something like this:
Service "Vendor access" which triggers if the user attempting auth is accessing a specific device group (ie. Connection:NAD-IP-Address belong_to_group routers) AND user belongs to AD group "Vendors"
Then after that in order is an employee policy which is not restrictive at all and permits all access. As of right now I am unable to find a way for the service policy to be triggered by both the connection device group and an AD group. Is that possible? Or should I have one service rule for the device group, then use a role mapping policy?
This is not possible as authorization occurs after service categorization and authentication. Use t...This is not possible as authorization occurs after service categorization and authentication. Use the same service with different enforcement rules and/or role mapping.
I'm trying to create two service rules for the same SSID: one for EAP-TLS and one for EAP-PEAP (or ...
I'm trying to create two service rules for the same SSID: one for EAP-TLS and one for EAP-PEAP (or anything other than EAP-TLS). I have for the service rule for the EAP-TLS service:
I cannot get clients to hit this service with this rule. Trying to find out if the type should be different or if I'm messing something up in my logic. I have the same service rule for EAP-PEAP, but with a "NOTEQUALS" for the operator.
Thanks Tim, To make sure I understand, instead of splitting the Services up, keep one...
To make sure I understand, instead of splitting the Services up, keep one service but split the roles based on the enforcment policy?
EAP method is negotiated after service categorization and thus cannot be used to categorize a service.
...(184.108.40.206), wherein the allowed services are not being discovered by user devices. What I want is all...
I have tried solving an Airgroup issue (no CPPM) with a not-small cluster of newer IAPs (220.127.116.11), wherein the allowed services are not being discovered by user devices. What I want is all wireless clients to see all of the allowed services from any of the other IAPs in the cluster.
A few preliminary notes:
- whoever made the "allowall" service simply select the already-defined "service-id" strings instead of actually making any/all service strings allowed -- to you I ask "why? why make the label not match a desired function?"
- I am using ARD (apple remote desktop) and chrome books in an educational environment. Chromecast and appleTV are heavily utilized here.
- There is only 1 VLAN here. There is an IP set for the IAP VC. User traffic and
- Even my home lab of 2 IAPs shows services available on one AP but not on the other.
- I have broadcast filtering disabled. Multicast transmission optimization is set, as is DMO. This, as I understand it, should allow any requests through.
On AP-1 to which I connect a Chromecast device, on the same AP-1 my laptop is able to cast/stream directly to it. This is the desired effect.
When I try to cast from my laptop associated to AP-2, also in the same general region, it does not function. "show airgroup swarm-info" or "cache entries" shows one AP and its entries, but not that of the others (typically). Sometimes it does show 2 APs in the swarm-info command, but in a group of 60+ I would expect the cached entries to be shared amongst them frequently and completely.
The Main Questions I want answered are:
- Is there a way to disable the Airgroup feature so that it doesn't interfere with any of the mDNS/Bonjour/DLNA traffic and simply lets everything through? What is needed from the GUI for WLAN config, and Airgroup GUI or Airgroup CLI config to make this happen?
- Why does an adjacent IAP not discover and report the services which I have enabled in the Airgroup tab?
- What is the logic for IAPs to discover wireless clients that offer service-id strings, how often does this occur, and how do they discover/(and ultimately report) those learned from a different IAP?
Thank you for any clarification offered.
...effect. None of the services are seen now, whether wireless or wired, on wireless devices. ...
Well, disabling airgroup (cli: "no airgroup") doesn't seem to have the desired effect. None of the services are seen now, whether wireless or wired, on wireless devices. I've tried disabling any of the multicast/broadcast optimizations, and no change.
How do I enable all mDNS traffic to proceed between devices in an IAP network?
..."no airgroup" from the CLI "configure terminal" section did make all of the services be broadcast...
So Airgroup will only function correctly when there are different VLANs being bridged? As I understood it, the Airgroup service steps in to fill the role of mDNS responder and querier, so should work on the same L2 domain as well. I just thought it served as a Per-AP bonjour gateway that listened in on UDP 18.104.22.168 w/ MAC 01:00:5E:00:00:FB and performed service-id filtering on what it saw on its interfaces. Could you explain the operation if it differs from this?
Issuing "no airgroup" from the CLI "configure terminal" section did make all of the services be broadcast on this AP, which is very helpful. I'll test to see if the other AP is letting those through as well. Thank you for that: this accomplishes my "allowall" that I was expecting for testing purposes.
I still would like the ability to filter out certain services, and permit only a few, even on the flat network.
If not possible, I can go back to the customer with this information that a flat network has troubles with filtering mDNS, but I would like to know if there are any options before saying so.
Check and verify if deny inter user bridging is enabled. If all of your devices are wireless t...
Check and verify if deny inter user bridging is enabled. If all of your devices are wireless this setting would preclude them from being reached. The setting is found under System > General "Show Advanced Options" it is near the bottom of the page.
If you have disabled AirGroup and the Broadcast Filtering on the SSID then all layer 2 broadcasts should be allowed via wireless and wired. Essentially nothing should be blocked.
I recommend downloading and referring to the user guide which discusses AirGroup in depth in Chapter 23.
In Service rules, you can setup matches for CONTAINS. How can you list multiple values, like an OR ...
In Service rules, you can setup matches for CONTAINS. How can you list multiple values, like an OR list? I haven't found a delimiter that makes this work yet. I suppose the alternative is RegEx but a simple delimited OR list would just be a lot simpler.
We can't automatically parse it because Cisco allows the CSID to be changed.
You can use the CSID in role mapping. You don't have to make individual services.
We can't automatically parse it because Cisco allows the CSID to be changed.
You can use the CSID in role mapping. You don't have to make individual services.
..., which is why i have to create new services and use service rules. If i could use AP-Name, that I can...
I've gone ahead and tinkered with Regex, looks like i've got it working.
Cisco will send AP name, it just sends it in the Radius:IETF:Called-Station-Id field (when you change the setting). I would think Aruba could just parse that field and drop the result into AP-Name. From what i've noticed, i can't use Radius:IETF:Called-Station-Id in an enforcement policy rule, which is why i have to create new services and use service rules. If i could use AP-Name, that I can put in an enforcement policy.. Unless I'm missing where I can use Radius:IETF:Called-Station-Id in an enforcement policy..?
You'd need to use regex then. ClearPass parses what Cisco provides correctly. They don't send A...You'd need to use regex then.
ClearPass parses what Cisco provides correctly. They don't send AP name as it's own VSA like most other vendors.
This issue is resolved in AV/AS Update version 1.48751. To install AV/AS Update version 1.48751,...
This issue is resolved in AV/AS Update version 1.48751.
To install AV/AS Update version 1.48751, go to Software Updates page and click on 'Check Status Now".
Start policy service if not already started
I sure one will come out soon. It's 3 am at corporate. As for now all update pushes to the we...
I sure one will come out soon. It's 3 am at corporate. As for now all update pushes to the web service will be suspended until it can be fully investigated and an official response can be posted.
...802.1X and Guest services. Management port is configured with IP in Corporate subnet, while Data port is...
Let me present a Guest access scenario.
Company is using two separate subnets for Corporate (10.x.x.x) and Guest (172.x.x.x) users. ClearPass cluster is providing wireless 802.1X and Guest services. Management port is configured with IP in Corporate subnet, while Data port is configured with IP in Guest one.
WLAN infrastructure is pointing towards Captive Portal page on Guest subnet (https://10.x.x.x/<page_name>.php), and when user connects to Guest SSID CP page with self-registration is displayed. After entering and confirming required details, account info is displayed on the page.
My question is what happened after clicking on "Log In" button on the login page, and how are authentication/RADIUS packets flowing?
My guess is that when user (10.x.x.x) tries to log in, his request is sent to Management port (172.x.x.x) in the form of RADIUS request, processed by Policy Manager, and resulting acceptance/rejection returned back to a user.
So, questions are: a) is that authentication flow correct, or not, b) if correct, what is the purpose of Data port in Guest scenario, c) how would you design this more elegantly.
Thanks everyone in advance.
My guess is that when user (10.x.x.x) tries to log in, his request is sent to Management port (172....My guess is that when user (10.x.x.x) tries to log in, his request is sent to Management port (172.x.x.x) in the form of RADIUS request, processed by Policy Manager, and resulting acceptance/rejection returned back to a user.
One of the use cases is to place the data port in the DMZ to host the captive portal page (Guest , Onguard , Onboard) and that way the guest/quarantine user is not able to reach the internal(management port) interface of the ClearPass appliance
...this needs two services. The initial mac-auth service is working fine... returning the redirect-url...
I'm trying to get wired captive portal guest access working with a Cisco switch.
I realize this needs two services. The initial mac-auth service is working fine... returning the redirect-url and redirect-url-acl to the switch.
But I'm having problems with the captive portal.
We are browsing to http://<clearpassIP>/guest/ciscowiredguest.php?mac=11:22:33:44:55:66, and that brings up the login form.
But when I enter a known guest account and click submit, Access Tracker shows a REJECT. The message is: "Failed to classify request to service" The autentication attempt comes in with just the user name - no other info.
I have an active service of type "Web-based Authentication" and the rule is:
Host - Checktype - MATCHES_ANY - Authentication.
Is there some other rule I need to make this work?
Is there a special configuration needed for the captive portal login page?
Am I correct in understanding that the switch is not involved in this part of the transaction (until it succeeds, of course, at which point it gets a CoA Terminate session)?
Hm, definitely should be matching that. Please post a few screenshots of the access tracker requ...Hm, definitely should be matching that.
Please post a few screenshots of the access tracker request tabs.