Security

Hi,

I am currently testing ClearPass policy manager. I am trying to get a RADIUS policy working for Access control to my Nortel Passports, I have 4 different user priviledge levels and have set up the policy as i think it should be.
I had to first export the pre installed 'Nortel' Dictionary because it didnt contain the 'Allowed Values' i needed for the Attributes i use. The dictionary attributes are then used in my ClearPass 'Enforcement Profiles and Policy', Which i have then added to the Main Services Policy.
However the Enforcement policy is being ignored when i try to login to one of my Nortel Passports. IF i go to the Live monitoring Access Tracker it shows my Login status as 'ACCEPT' but the passport obviously isnt letting me in still as it cant see the enforcement policy/profile to let me in with! How do i resolve this issue?

I have tried multiple different options to try and force it to look at the Enforcement policy but nothing appears to be working.

Regards

Neil

------------------------------
Neil Bishop
------------------------------

Not sure where to start, there is a lot to check/review....

So you see the authN from the client/device hitting CPPM in Access-Tracker {AT}, and then CPPM is returning an RADIUS-Accept, so,

In your rules evaluation are you set to First applicable or All matches?
In AT in the Output tab is their a RADIUS Response listed?
In AT in the Output tab what enforcement profiles are listed?
Have you set the default profile to an ACCEPT Profile?

Are you doing any role-mapping before enforcement?



------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Jul 14, 2021 11:06 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

Hi,

I am currently testing ClearPass policy manager. I am trying to get a RADIUS policy working for Access control to my Nortel Passports, I have 4 different user priviledge levels and have set up the policy as i think it should be.
I had to first export the pre installed 'Nortel' Dictionary because it didnt contain the 'Allowed Values' i needed for the Attributes i use. The dictionary attributes are then used in my ClearPass 'Enforcement Profiles and Policy', Which i have then added to the Main Services Policy.
However the Enforcement policy is being ignored when i try to login to one of my Nortel Passports. IF i go to the Live monitoring Access Tracker it shows my Login status as 'ACCEPT' but the passport obviously isnt letting me in still as it cant see the enforcement policy/profile to let me in with! How do i resolve this issue?

I have tried multiple different options to try and force it to look at the Enforcement policy but nothing appears to be working.

Regards

Neil

------------------------------
Neil Bishop
------------------------------

In your rules evaluation are you set to First applicable or All matches? First applicable
In AT in the Output tab is their a RADIUS Response listed? I will need to get back to you on this as I don't have access to my CPPM today.
In AT in the Output tab what enforcement profiles are listed? None, which i think is my problem because my Passports cant see what attribute values to give the user.
Have you set the default profile to an ACCEPT Profile? No my default is set to Deny Access.

Are you doing any role-mapping before enforcement? Yes, I have 4 User access levels so I have to use role-mapping. e.g. Local User Repository: Role_Name EQUALS Read_Only. The role-mapping is set to first applicable as well.

I am back in my office tomorrow so might be able to get some screenshots as well if needed.

cheers


------------------------------
Neil
------------------------------

Original Message:
Sent: Jul 14, 2021 05:06 PM
From: Danny Jump
Subject: Nortel Passport Policy not working on CPPM

Not sure where to start, there is a lot to check/review....

So you see the authN from the client/device hitting CPPM in Access-Tracker {AT}, and then CPPM is returning an RADIUS-Accept, so,

In your rules evaluation are you set to First applicable or All matches?
In AT in the Output tab is their a RADIUS Response listed?
In AT in the Output tab what enforcement profiles are listed?
Have you set the default profile to an ACCEPT Profile?

Are you doing any role-mapping before enforcement?



------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jul 14, 2021 11:06 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

Hi,

I am currently testing ClearPass policy manager. I am trying to get a RADIUS policy working for Access control to my Nortel Passports, I have 4 different user priviledge levels and have set up the policy as i think it should be.
I had to first export the pre installed 'Nortel' Dictionary because it didnt contain the 'Allowed Values' i needed for the Attributes i use. The dictionary attributes are then used in my ClearPass 'Enforcement Profiles and Policy', Which i have then added to the Main Services Policy.
However the Enforcement policy is being ignored when i try to login to one of my Nortel Passports. IF i go to the Live monitoring Access Tracker it shows my Login status as 'ACCEPT' but the passport obviously isnt letting me in still as it cant see the enforcement policy/profile to let me in with! How do i resolve this issue?

I have tried multiple different options to try and force it to look at the Enforcement policy but nothing appears to be working.

Regards

Neil

------------------------------
Neil Bishop
------------------------------

Neil,

in the service-policy have you accidentally enabled 'Monitor Mode'.... this effectively disables enforcement and forces CPPM to send a RADIUS Access-Accept?

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Jul 15, 2021 03:35 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

In your rules evaluation are you set to First applicable or All matches? First applicable
In AT in the Output tab is their a RADIUS Response listed? I will need to get back to you on this as I don't have access to my CPPM today.
In AT in the Output tab what enforcement profiles are listed? None, which i think is my problem because my Passports cant see what attribute values to give the user.
Have you set the default profile to an ACCEPT Profile? No my default is set to Deny Access.

Are you doing any role-mapping before enforcement? Yes, I have 4 User access levels so I have to use role-mapping. e.g. Local User Repository: Role_Name EQUALS Read_Only. The role-mapping is set to first applicable as well.

I am back in my office tomorrow so might be able to get some screenshots as well if needed.

cheers


------------------------------
Neil

Original Message:
Sent: Jul 14, 2021 05:06 PM
From: Danny Jump
Subject: Nortel Passport Policy not working on CPPM

Not sure where to start, there is a lot to check/review....

So you see the authN from the client/device hitting CPPM in Access-Tracker {AT}, and then CPPM is returning an RADIUS-Accept, so,

In your rules evaluation are you set to First applicable or All matches?
In AT in the Output tab is their a RADIUS Response listed?
In AT in the Output tab what enforcement profiles are listed?
Have you set the default profile to an ACCEPT Profile?

Are you doing any role-mapping before enforcement?



------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jul 14, 2021 11:06 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

Hi,

I am currently testing ClearPass policy manager. I am trying to get a RADIUS policy working for Access control to my Nortel Passports, I have 4 different user priviledge levels and have set up the policy as i think it should be.
I had to first export the pre installed 'Nortel' Dictionary because it didnt contain the 'Allowed Values' i needed for the Attributes i use. The dictionary attributes are then used in my ClearPass 'Enforcement Profiles and Policy', Which i have then added to the Main Services Policy.
However the Enforcement policy is being ignored when i try to login to one of my Nortel Passports. IF i go to the Live monitoring Access Tracker it shows my Login status as 'ACCEPT' but the passport obviously isnt letting me in still as it cant see the enforcement policy/profile to let me in with! How do i resolve this issue?

I have tried multiple different options to try and force it to look at the Enforcement policy but nothing appears to be working.

Regards

Neil

------------------------------
Neil Bishop
------------------------------

I've checked the 'Monitor Mode' and it is disabled. Please see these screenshots to show how my policy is set up.


------------------------------
Neil
------------------------------

Original Message:
Sent: Jul 15, 2021 12:35 PM
From: Danny Jump
Subject: Nortel Passport Policy not working on CPPM

Neil,

in the service-policy have you accidentally enabled 'Monitor Mode'.... this effectively disables enforcement and forces CPPM to send a RADIUS Access-Accept?

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jul 15, 2021 03:35 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

In your rules evaluation are you set to First applicable or All matches? First applicable
In AT in the Output tab is their a RADIUS Response listed? I will need to get back to you on this as I don't have access to my CPPM today.
In AT in the Output tab what enforcement profiles are listed? None, which i think is my problem because my Passports cant see what attribute values to give the user.
Have you set the default profile to an ACCEPT Profile? No my default is set to Deny Access.

Are you doing any role-mapping before enforcement? Yes, I have 4 User access levels so I have to use role-mapping. e.g. Local User Repository: Role_Name EQUALS Read_Only. The role-mapping is set to first applicable as well.

I am back in my office tomorrow so might be able to get some screenshots as well if needed.

cheers


------------------------------
Neil

Original Message:
Sent: Jul 14, 2021 05:06 PM
From: Danny Jump
Subject: Nortel Passport Policy not working on CPPM

Not sure where to start, there is a lot to check/review....

So you see the authN from the client/device hitting CPPM in Access-Tracker {AT}, and then CPPM is returning an RADIUS-Accept, so,

In your rules evaluation are you set to First applicable or All matches?
In AT in the Output tab is their a RADIUS Response listed?
In AT in the Output tab what enforcement profiles are listed?
Have you set the default profile to an ACCEPT Profile?

Are you doing any role-mapping before enforcement?



------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jul 14, 2021 11:06 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

Hi,

I am currently testing ClearPass policy manager. I am trying to get a RADIUS policy working for Access control to my Nortel Passports, I have 4 different user priviledge levels and have set up the policy as i think it should be.
I had to first export the pre installed 'Nortel' Dictionary because it didnt contain the 'Allowed Values' i needed for the Attributes i use. The dictionary attributes are then used in my ClearPass 'Enforcement Profiles and Policy', Which i have then added to the Main Services Policy.
However the Enforcement policy is being ignored when i try to login to one of my Nortel Passports. IF i go to the Live monitoring Access Tracker it shows my Login status as 'ACCEPT' but the passport obviously isnt letting me in still as it cant see the enforcement policy/profile to let me in with! How do i resolve this issue?

I have tried multiple different options to try and force it to look at the Enforcement policy but nothing appears to be working.

Regards

Neil

------------------------------
Neil Bishop
------------------------------

Here are some of the screenshots from the Access Tracker.... The last one that says 'No Enforcement Profiles are applicable for this Device' Is the message I can't understand because my devices are set up to require the profiles so why is it saying not applicable!!


------------------------------
Neil
------------------------------

Original Message:
Sent: Jul 16, 2021 05:09 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

I've checked the 'Monitor Mode' and it is disabled. Please see these screenshots to show how my policy is set up.

------------------------------
Neil

Original Message:
Sent: Jul 15, 2021 12:35 PM
From: Danny Jump
Subject: Nortel Passport Policy not working on CPPM

Neil,

in the service-policy have you accidentally enabled 'Monitor Mode'.... this effectively disables enforcement and forces CPPM to send a RADIUS Access-Accept?

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jul 15, 2021 03:35 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

In your rules evaluation are you set to First applicable or All matches? First applicable
In AT in the Output tab is their a RADIUS Response listed? I will need to get back to you on this as I don't have access to my CPPM today.
In AT in the Output tab what enforcement profiles are listed? None, which i think is my problem because my Passports cant see what attribute values to give the user.
Have you set the default profile to an ACCEPT Profile? No my default is set to Deny Access.

Are you doing any role-mapping before enforcement? Yes, I have 4 User access levels so I have to use role-mapping. e.g. Local User Repository: Role_Name EQUALS Read_Only. The role-mapping is set to first applicable as well.

I am back in my office tomorrow so might be able to get some screenshots as well if needed.

cheers


------------------------------
Neil

Original Message:
Sent: Jul 14, 2021 05:06 PM
From: Danny Jump
Subject: Nortel Passport Policy not working on CPPM

Not sure where to start, there is a lot to check/review....

So you see the authN from the client/device hitting CPPM in Access-Tracker {AT}, and then CPPM is returning an RADIUS-Accept, so,

In your rules evaluation are you set to First applicable or All matches?
In AT in the Output tab is their a RADIUS Response listed?
In AT in the Output tab what enforcement profiles are listed?
Have you set the default profile to an ACCEPT Profile?

Are you doing any role-mapping before enforcement?



------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jul 14, 2021 11:06 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

Hi,

I am currently testing ClearPass policy manager. I am trying to get a RADIUS policy working for Access control to my Nortel Passports, I have 4 different user priviledge levels and have set up the policy as i think it should be.
I had to first export the pre installed 'Nortel' Dictionary because it didnt contain the 'Allowed Values' i needed for the Attributes i use. The dictionary attributes are then used in my ClearPass 'Enforcement Profiles and Policy', Which i have then added to the Main Services Policy.
However the Enforcement policy is being ignored when i try to login to one of my Nortel Passports. IF i go to the Live monitoring Access Tracker it shows my Login status as 'ACCEPT' but the passport obviously isnt letting me in still as it cant see the enforcement policy/profile to let me in with! How do i resolve this issue?

I have tried multiple different options to try and force it to look at the Enforcement policy but nothing appears to be working.

Regards

Neil

------------------------------
Neil Bishop
------------------------------

What is in your Enforcement profile?
What is the Vendor Type in the Network Device configuration?

The message indicates these are incompatible. If you use a Nortel VSA, the Network Device should be set to Nortel. Also, the RADIUS Dictionary should be Enabled.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 16, 2021 07:03 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

Here are some of the screenshots from the Access Tracker.... The last one that says 'No Enforcement Profiles are applicable for this Device' Is the message I can't understand because my devices are set up to require the profiles so why is it saying not applicable!!

------------------------------
Neil

Original Message:
Sent: Jul 16, 2021 05:09 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

I've checked the 'Monitor Mode' and it is disabled. Please see these screenshots to show how my policy is set up.

------------------------------
Neil

Original Message:
Sent: Jul 15, 2021 12:35 PM
From: Danny Jump
Subject: Nortel Passport Policy not working on CPPM

Neil,

in the service-policy have you accidentally enabled 'Monitor Mode'.... this effectively disables enforcement and forces CPPM to send a RADIUS Access-Accept?

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jul 15, 2021 03:35 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

In your rules evaluation are you set to First applicable or All matches? First applicable
In AT in the Output tab is their a RADIUS Response listed? I will need to get back to you on this as I don't have access to my CPPM today.
In AT in the Output tab what enforcement profiles are listed? None, which i think is my problem because my Passports cant see what attribute values to give the user.
Have you set the default profile to an ACCEPT Profile? No my default is set to Deny Access.

Are you doing any role-mapping before enforcement? Yes, I have 4 User access levels so I have to use role-mapping. e.g. Local User Repository: Role_Name EQUALS Read_Only. The role-mapping is set to first applicable as well.

I am back in my office tomorrow so might be able to get some screenshots as well if needed.

cheers


------------------------------
Neil

Original Message:
Sent: Jul 14, 2021 05:06 PM
From: Danny Jump
Subject: Nortel Passport Policy not working on CPPM

Not sure where to start, there is a lot to check/review....

So you see the authN from the client/device hitting CPPM in Access-Tracker {AT}, and then CPPM is returning an RADIUS-Accept, so,

In your rules evaluation are you set to First applicable or All matches?
In AT in the Output tab is their a RADIUS Response listed?
In AT in the Output tab what enforcement profiles are listed?
Have you set the default profile to an ACCEPT Profile?

Are you doing any role-mapping before enforcement?



------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jul 14, 2021 11:06 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

Hi,

I am currently testing ClearPass policy manager. I am trying to get a RADIUS policy working for Access control to my Nortel Passports, I have 4 different user priviledge levels and have set up the policy as i think it should be.
I had to first export the pre installed 'Nortel' Dictionary because it didnt contain the 'Allowed Values' i needed for the Attributes i use. The dictionary attributes are then used in my ClearPass 'Enforcement Profiles and Policy', Which i have then added to the Main Services Policy.
However the Enforcement policy is being ignored when i try to login to one of my Nortel Passports. IF i go to the Live monitoring Access Tracker it shows my Login status as 'ACCEPT' but the passport obviously isnt letting me in still as it cant see the enforcement policy/profile to let me in with! How do i resolve this issue?

I have tried multiple different options to try and force it to look at the Enforcement policy but nothing appears to be working.

Regards

Neil

------------------------------
Neil Bishop
------------------------------

What is in your Enforcement profile? I have 10 attributes configured for each of the 4 access profiles we use which are from the Nortel dictionary that we use. e.g. Passport-Command-Impact EQUALS passive (7).

What is the Vendor Type in the Network Device configuration? The Vendor name on the device config is Nortel

The message indicates these are incompatible. If you use a Nortel VSA, the Network Device should be set to Nortel. Also, the RADIUS Dictionary should be Enabled. The dictionary is enabled. The only difference i can see is that on my current RADIUS server that works with our passports has the dictionary attributes set as INT (integer) for most of them, but on ClearPass they are set as Unsigned32. I have tried exporting and changing this on the XML file but it then doesn't allow me to Import the file as it doesn't recognise Integer on ClearPass.

------------------------------
Neil
------------------------------

Original Message:
Sent: Jul 16, 2021 11:10 AM
From: Herman Robers
Subject: Nortel Passport Policy not working on CPPM

What is in your Enforcement profile?
What is the Vendor Type in the Network Device configuration?

The message indicates these are incompatible. If you use a Nortel VSA, the Network Device should be set to Nortel. Also, the RADIUS Dictionary should be Enabled.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 16, 2021 07:03 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

Here are some of the screenshots from the Access Tracker.... The last one that says 'No Enforcement Profiles are applicable for this Device' Is the message I can't understand because my devices are set up to require the profiles so why is it saying not applicable!!

------------------------------
Neil

Original Message:
Sent: Jul 16, 2021 05:09 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

I've checked the 'Monitor Mode' and it is disabled. Please see these screenshots to show how my policy is set up.

------------------------------
Neil

Original Message:
Sent: Jul 15, 2021 12:35 PM
From: Danny Jump
Subject: Nortel Passport Policy not working on CPPM

Neil,

in the service-policy have you accidentally enabled 'Monitor Mode'.... this effectively disables enforcement and forces CPPM to send a RADIUS Access-Accept?

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jul 15, 2021 03:35 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

In your rules evaluation are you set to First applicable or All matches? First applicable
In AT in the Output tab is their a RADIUS Response listed? I will need to get back to you on this as I don't have access to my CPPM today.
In AT in the Output tab what enforcement profiles are listed? None, which i think is my problem because my Passports cant see what attribute values to give the user.
Have you set the default profile to an ACCEPT Profile? No my default is set to Deny Access.

Are you doing any role-mapping before enforcement? Yes, I have 4 User access levels so I have to use role-mapping. e.g. Local User Repository: Role_Name EQUALS Read_Only. The role-mapping is set to first applicable as well.

I am back in my office tomorrow so might be able to get some screenshots as well if needed.

cheers


------------------------------
Neil

Original Message:
Sent: Jul 14, 2021 05:06 PM
From: Danny Jump
Subject: Nortel Passport Policy not working on CPPM

Not sure where to start, there is a lot to check/review....

So you see the authN from the client/device hitting CPPM in Access-Tracker {AT}, and then CPPM is returning an RADIUS-Accept, so,

In your rules evaluation are you set to First applicable or All matches?
In AT in the Output tab is their a RADIUS Response listed?
In AT in the Output tab what enforcement profiles are listed?
Have you set the default profile to an ACCEPT Profile?

Are you doing any role-mapping before enforcement?



------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jul 14, 2021 11:06 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

Hi,

I am currently testing ClearPass policy manager. I am trying to get a RADIUS policy working for Access control to my Nortel Passports, I have 4 different user priviledge levels and have set up the policy as i think it should be.
I had to first export the pre installed 'Nortel' Dictionary because it didnt contain the 'Allowed Values' i needed for the Attributes i use. The dictionary attributes are then used in my ClearPass 'Enforcement Profiles and Policy', Which i have then added to the Main Services Policy.
However the Enforcement policy is being ignored when i try to login to one of my Nortel Passports. IF i go to the Live monitoring Access Tracker it shows my Login status as 'ACCEPT' but the passport obviously isnt letting me in still as it cant see the enforcement policy/profile to let me in with! How do i resolve this issue?

I have tried multiple different options to try and force it to look at the Enforcement policy but nothing appears to be working.

Regards

Neil

------------------------------
Neil Bishop
------------------------------

Think most effective would be to open a case with your Aruba Partner or Aruba support. The message 'no enforcement profile applicable for this device' suggests that you have a proper profile selected, but the attributes are not valid for your Nortel device, hence the ask about the vendor setting.

I believe Unsigned32 is just another word for Int; but Support can probably help you with that as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 19, 2021 06:47 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

What is in your Enforcement profile? I have 10 attributes configured for each of the 4 access profiles we use which are from the Nortel dictionary that we use. e.g. Passport-Command-Impact EQUALS passive (7).

What is the Vendor Type in the Network Device configuration? The Vendor name on the device config is Nortel

The message indicates these are incompatible. If you use a Nortel VSA, the Network Device should be set to Nortel. Also, the RADIUS Dictionary should be Enabled. The dictionary is enabled. The only difference i can see is that on my current RADIUS server that works with our passports has the dictionary attributes set as INT (integer) for most of them, but on ClearPass they are set as Unsigned32. I have tried exporting and changing this on the XML file but it then doesn't allow me to Import the file as it doesn't recognise Integer on ClearPass.

------------------------------
Neil

Original Message:
Sent: Jul 16, 2021 11:10 AM
From: Herman Robers
Subject: Nortel Passport Policy not working on CPPM

What is in your Enforcement profile?
What is the Vendor Type in the Network Device configuration?

The message indicates these are incompatible. If you use a Nortel VSA, the Network Device should be set to Nortel. Also, the RADIUS Dictionary should be Enabled.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 16, 2021 07:03 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

Here are some of the screenshots from the Access Tracker.... The last one that says 'No Enforcement Profiles are applicable for this Device' Is the message I can't understand because my devices are set up to require the profiles so why is it saying not applicable!!

------------------------------
Neil

Original Message:
Sent: Jul 16, 2021 05:09 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

I've checked the 'Monitor Mode' and it is disabled. Please see these screenshots to show how my policy is set up.

------------------------------
Neil

Original Message:
Sent: Jul 15, 2021 12:35 PM
From: Danny Jump
Subject: Nortel Passport Policy not working on CPPM

Neil,

in the service-policy have you accidentally enabled 'Monitor Mode'.... this effectively disables enforcement and forces CPPM to send a RADIUS Access-Accept?

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jul 15, 2021 03:35 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

In your rules evaluation are you set to First applicable or All matches? First applicable
In AT in the Output tab is their a RADIUS Response listed? I will need to get back to you on this as I don't have access to my CPPM today.
In AT in the Output tab what enforcement profiles are listed? None, which i think is my problem because my Passports cant see what attribute values to give the user.
Have you set the default profile to an ACCEPT Profile? No my default is set to Deny Access.

Are you doing any role-mapping before enforcement? Yes, I have 4 User access levels so I have to use role-mapping. e.g. Local User Repository: Role_Name EQUALS Read_Only. The role-mapping is set to first applicable as well.

I am back in my office tomorrow so might be able to get some screenshots as well if needed.

cheers


------------------------------
Neil

Original Message:
Sent: Jul 14, 2021 05:06 PM
From: Danny Jump
Subject: Nortel Passport Policy not working on CPPM

Not sure where to start, there is a lot to check/review....

So you see the authN from the client/device hitting CPPM in Access-Tracker {AT}, and then CPPM is returning an RADIUS-Accept, so,

In your rules evaluation are you set to First applicable or All matches?
In AT in the Output tab is their a RADIUS Response listed?
In AT in the Output tab what enforcement profiles are listed?
Have you set the default profile to an ACCEPT Profile?

Are you doing any role-mapping before enforcement?



------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jul 14, 2021 11:06 AM
From: Neil Bishop
Subject: Nortel Passport Policy not working on CPPM

Hi,

I am currently testing ClearPass policy manager. I am trying to get a RADIUS policy working for Access control to my Nortel Passports, I have 4 different user priviledge levels and have set up the policy as i think it should be.
I had to first export the pre installed 'Nortel' Dictionary because it didnt contain the 'Allowed Values' i needed for the Attributes i use. The dictionary attributes are then used in my ClearPass 'Enforcement Profiles and Policy', Which i have then added to the Main Services Policy.
However the Enforcement policy is being ignored when i try to login to one of my Nortel Passports. IF i go to the Live monitoring Access Tracker it shows my Login status as 'ACCEPT' but the passport obviously isnt letting me in still as it cant see the enforcement policy/profile to let me in with! How do i resolve this issue?

I have tried multiple different options to try and force it to look at the Enforcement policy but nothing appears to be working.

Regards

Neil

------------------------------
Neil Bishop
------------------------------