Security

 View Only
last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ip didn't appear after auth witn CPPM

This thread has been viewed 102 times

  • 1.  ip didn't appear after auth witn CPPM

    Posted Dec 09, 2021 08:16 PM
    hi

    we have access switches and APS & Access control, etc... authenticated from Cppm ...  after the authentication switch appears some IPs and not appear others.

    tried many things to check this issue ((upgrade firmware, change configuration & authentication commands)) but still the same issue while the core switch can reach them all but access switches not.

    Kindly check the attachments

    ------------------------------
    Amr Abo Hashima
    ------------------------------


  • 2.  RE: ip didn't appear after auth witn CPPM

    EMPLOYEE
    Posted Dec 10, 2021 09:48 AM
    That is a switch feature, not ClearPass. Could it be that those devices have a static IP?

    What type of switch and firmware do you use?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 10, 2021 10:58 AM
    yes, all of those devices have static IP but as you see most of them not appeared that have IP and the same issue on all switches but we can see their IPs on Core Switch (6410).

    we use access switches (2930M) version wc16.11.0001

    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Original Message


  • 4.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 12, 2021 10:46 AM
    any news for this issue

    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Original Message


  • 5.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 13, 2021 08:45 AM
    Hi, like HErman said this is a switch feature and no a Clearpass thing but in order to see statically assigned ip address you  may try the command " ip client-tracker "trusted/untrusted". You can read about it here: https://www.manualslib.com/manual/1650280/Hewlett-Packard-Enterprise-Aruba-2920.html?page=355.

    Hope this helps.

    ------------------------------
    Ulises Cazares
    ------------------------------

    Original Message


  • 6.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 26, 2021 04:58 PM
    can you check again and thank you very much

    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Original Message


  • 7.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 20, 2021 03:08 PM
      |   view attached
    Dears

    i still facing this issue but in a different behaviour! we integrated the switches ( 2930M) i just found in logs that some ports Blocked by AAA !! i dont now why tried bounce the port but still while enabling the port the switch blocked it by AAA i need to found solution ASAP the tac still search in this case .

    note :

    i configured ip client tracker and changed arp-age and probe-dely too but nothing happened.

    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Original Message


  • 8.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 20, 2021 03:51 PM
    Hi, you could see the reason, maybe, in 2 places:
    1.- Debug the radius authentication packets in the switch to know why the switch is blocking the port.
    2.- Check in Clearpass in Access tracker to see the reason of the reject, if any.

    Hope this helps

    ------------------------------
    Ulises Cazares
    ------------------------------

    Original Message


  • 9.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 20, 2021 04:01 PM
    Hi ulises 

    They got right authentication on switch and no reject logs on clearpass.

    Just blocked AAA on switch log and I don't now why

    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Original Message


  • 10.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 20, 2021 04:17 PM
    Please enable and share the radius authentication debug, not only the show log...

    The commands to debug the radius messages should be similar to this.
    debug security port-access authenticator
    debug security radius-server

    Regards


    ------------------------------
    Ulises Cazares
    ------------------------------

    Original Message


  • 11.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 21, 2021 04:30 AM
      |   view attached
    hi

    kindly check the snapshot form command it showed me that one rejected or time out but I didn't receive any reject or failed logs on cppm

    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Original Message


  • 12.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 21, 2021 08:04 AM
    Hi, you can see there there is only one reject so your  issue shouldn,t be authentication but in order to be sure ypu need a debug output No a show output to see waht is happening between the switch and Clearpass.

    If you share the debug output when a client is trying to authenticate we may be able to figure out what's happenning.
    Share the log you get in clearpass for the authentication attempt and the switch config

    ------------------------------
    Ulises Cazares
    ------------------------------

    Original Message


  • 13.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 26, 2021 06:38 AM

    dear ulises

    thank you for response, I already type the commands but nothing showed , how can I generate it though as I need to solve this issue asap



    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Original Message


  • 14.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 26, 2021 11:12 AM
    look here we have a number of ports up but not all of the ports authenticated some authenticated on CPPM and others blocked by Switch ! and no logs on Cppm for those Macs. I don't know why this happened and tried many configurations

    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Original Message


  • 15.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 27, 2021 11:13 AM
    Please share the switch's config and the IP of the CPPM. Also, share the images form the accesss tracker from one of the macs that appeared there: the sumary, the input, output and alerts (if any) tabs

    ------------------------------
    Ulises Cazares
    ------------------------------

    Original Message


  • 16.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 28, 2021 04:28 AM
    hi, ulises

    Kindly check the attachments for CPPM and a sample from one switch

    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Original Message


  • 17.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 28, 2021 08:37 AM
    Hey, you didn't share the switch's config. If the issue is with some ports on the same switch please share all the config.


    ------------------------------
    Ulises Cazares
    ------------------------------

    Original Message


  • 18.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 28, 2021 08:59 AM
      |   view attached
    forgot to share it so sorry.

    Kindly check it

    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Attachment(s)

    txt
    current conf.txt   4 KB 1 version
    Original Message


  • 19.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 28, 2021 09:28 AM
      |   view attached
    Please check the following document and make sure you are not missing any commands and for now remove the radius server with the IP ending in 33 that is jus timing out and test again

    Regards

    ------------------------------
    Ulises Cazares
    ------------------------------

    Attachment(s)

    docx
    Aruba-MAC_Pinning.docx   456 KB 1 version
    Original Message


  • 20.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 28, 2021 03:54 PM
      |   view attached
    unfortunately, I tested it but still, the same issue Exist some ports Blocked by AAA

    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Original Message


  • 21.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 28, 2021 04:45 PM
    Hi, check this thread I think is what is happening in your environment

    https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=21374



    Hope this helps

    ------------------------------
    Ulises Cazares
    ------------------------------

    Original Message


  • 22.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 28, 2021 07:01 PM
    hi, yes I checked it before already but unfortunately, nothing changed

    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Original Message


  • 23.  RE: ip didn't appear after auth witn CPPM

    Posted Dec 30, 2021 12:18 PM
    Have you tried to connect a laptop or a phone in thos ports that are blocked by AAA?  Can you see the authentication attemps in clearpass?

    If the test with the laptop and/or phoen work you should open a ticket with TAC and just remember the following:

    * If the authentication request doesn't reach Clearpass is not a Clearpass issue since it works for other ports in the same switch
    * Have at hand the types and models of the devices conencted to the ports that are not sending the authentication requests and remain int he blocking state.

    I think the general config in the switch is fine and is something related to the devices connected in those ports.

    Hope this helps.

    ------------------------------
    Ulises Cazares
    ------------------------------

    Original Message


  • 24.  RE: ip didn't appear after auth witn CPPM

    Posted Jan 08, 2022 11:24 AM
    hu ulises,

    thank you, yes I tried to connect my laptop on the blocked port and it worked and I can see the authentication in Cppm but I don't know why I faced this issue in many Access Switch not only one

    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Original Message


  • 25.  RE: ip didn't appear after auth witn CPPM

    Posted Jan 10, 2022 08:28 AM

    Hi, If it works with another device, I think is something realted with the type of device conencted. What is the device or devices connected to the ports that remaing in AAA blocked(remember what Herman said, that is part of the processs: start in blocking state). Have you tried to force traffic from the connected device to the network or to restart the devices and see if there is any difference?



    ------------------------------
    Ulises Cazares
    ------------------------------

    Original Message


  • 26.  RE: ip didn't appear after auth witn CPPM

    EMPLOYEE
    Posted Jan 04, 2022 04:56 AM
    Please work with your Aruba partner, or Aruba Support (TAC). The Blocked by AAA messages are part of the normal process, but the port should go 'online' quickly after that message.

    With interactive troubleshooting, this probably is easy to solve. It's much harder to solve in this forum by asking back and forth.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 27.  RE: ip didn't appear after auth witn CPPM

    Posted Jan 08, 2022 11:21 AM
    hi Herman,

    thank you so much for your response I actually tried to contact Aruba tac but they didn't respond to the issue yet! so I tried to find a solution quickly

    ------------------------------
    Amr Abo Hashima
    ------------------------------

    Original Message


  • 28.  RE: ip didn't appear after auth witn CPPM

    EMPLOYEE
    Posted Jan 10, 2022 04:57 AM
    If it takes so long to get a response from Aruba TAC, there probably is something wrong. Please try to phone them or escalate the support case if it was opened.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message