Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Configuration Problem

Jump to Best Answer
This thread has been viewed 39 times
  • 1.  ClearPass Configuration Problem

    Posted Oct 07, 2021 09:22 AM

    I´ve implemented a Wired-MAC based Service for my switch ports. The service checks the category of the device, which is connected to the switch (Computer,VoIP Phone,Access Point).

    This works fine, the AccessPoint is recognized correctly and the appropiate VLANs are assigned (one untagged VLAN for the AP and two tagged VLANs).
    If I now try to establish a Wifi connection the correct service is hit and the correct profile is assigned. But I looks like, if the VLANs isn´t assigned correctly (The client didn´t get an IP address, so I guess it´s not in the correct VLAN).

    If I connect the AccessPoint to a port where I assign the VLANs (one unttagged, two tagged) static, everything is working fine. Not sure if it is a CPPM configuration or a switch configuration problem...

    Switch: Aruba 2530, (YA.16.10.0013)
    Access Point: Aruba IAP 305 (8.8.0.1)



    ------------------------------
    Matthias Pohl
    ------------------------------


  • 2.  RE: ClearPass Configuration Problem

    Posted Oct 07, 2021 11:39 AM
    Can you please share your IAP configuration and ClearPass profile you are sending ?

    ------------------------------
    Victor Fabian, ACEX#8
    Mobility Architect @ WEI
    ------------------------------



  • 3.  RE: ClearPass Configuration Problem

    Posted Oct 07, 2021 12:38 PM
    Hi Victor,

    this is the IAP configuration (I´ve deleted the CaptivePortal Part and the SSID which aren´t part of the problem):

    version 8.8.0.0-8.8.0
    virtual-controller-country DE
    virtual-controller-key X
    name VC-Extern
    virtual-controller-ip X.X.X.X
    syslog-level info
    terminal-access
    ntp-server X.X.X.X
    clock timezone Berlin 01 00
    clock summer-time CEST recurring last sunday march 02:00 last sunday october 03:00
    rf-band all
    dynamic-radius-proxy
    ams-ip X.X.X.X
    ams-key X
    ams-identity X

    allow-new-aps

    allowed-ap XXX

    snmp-server community XXXX

    arm
    wide-bands 5ghz
    80mhz-support
    min-tx-power 18
    max-tx-power 127
    band-steering-mode prefer-5ghz
    air-time-fairness-mode default-access
    client-aware
    scanning
    client-match
    client-match slb-mode 3

    rf dot11g-radio-profile OC
    spectrum-monitor
    max-tx-power 127
    min-tx-power 3
    smart-antenna

    rf dot11a-radio-profile OC
    spectrum-monitor
    max-tx-power 127
    min-tx-power 3
    smart-antenna

    syslog-level warn ap-debug
    syslog-level warn network
    syslog-level warn security
    syslog-level warn system
    syslog-level warn user
    syslog-level warn user-debug
    syslog-level warn wireless

    wlan access-rule OC-WLAN-Test
    index 9
    rule any any match any any any permit

    wlan ssid-profile OC-WLAN-Test
    enable
    index 5
    type employee
    essid OC-WLAN-Test
    opmode wpa2-aes
    max-authentication-failures 0
    auth-server clearpass
    rf-band all
    captive-portal disable
    dtim-period 1
    broadcast-filter arp
    radius-accounting
    radius-interim-accounting-interval 3
    dmo-channel-utilization-threshold 90
    local-probe-req-thresh 0
    max-clients-threshold 64
    okc
    dot11r
    dot11k
    dot11v

    auth-survivability cache-time-out 24

    mgmt-auth-server clearpass

    mgmt-auth-server-local-backup

    dpi

    url-visibility

    wlan auth-server clearpass
    ip X.X.X.X
    port 1812
    acctport 1813
    timeout 7
    key X
    nas-id aruba-master
    rfc5997
    rfc3576
    cppm-rfc3576-port 3799
    service-type-framed-user 1x
    service-type-framed-user cp
    service-type-framed-user mac

    blacklist-time 3600
    auth-failure-blacklist-time 3600

    ids
    wireless-containment none
    infrastructure-detection-level medium
    client-detection-level medium
    infrastructure-protection-level low
    client-protection-level low

    wired-port-profile default_wired_port_profile
    switchport-mode trunk
    allowed-vlan all
    native-vlan 1
    shutdown
    access-rule-name default_wired_port_profile
    speed auto
    duplex full
    no poe
    type employee
    captive-portal disable
    no dot1x

    enet0-port-profile default_wired_port_profile

    uplink
    preemption
    enforce none
    failover-internet-pkt-lost-cnt 10
    failover-internet-pkt-send-freq 30
    failover-vpn-timeout 180

    cluster-security
    allow-low-assurance-devices


    ------------------------------
    Matthias Pohl
    ------------------------------



  • 4.  RE: ClearPass Configuration Problem

    Posted Oct 07, 2021 12:40 PM
    This is the profile for the AccessPoint:

    This is the profile for the Client:


    ------------------------------
    Matthias Pohl
    ------------------------------



  • 5.  RE: ClearPass Configuration Problem

    Posted Oct 07, 2021 06:26 PM

    I think your client enforcement profile isn't correct.

    Try to use the vendor specific attribute "Aruba-User-Vlan".



    ------------------------------
    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
    ------------------------------



  • 6.  RE: ClearPass Configuration Problem

    Posted Oct 13, 2021 03:21 AM
    Sorry for the delay...
    I´ve changed the VSA to "Aruba-User-Vlan" but still the same problems. I don´t think the VSA is a problem, cause otherwise I would expect the client connection to fail all the time. But it works fine, when the IAP is connected to the port where the VLANs are assigend manually.

    ------------------------------
    Matthias Pohl
    ------------------------------



  • 7.  RE: ClearPass Configuration Problem
    Best Answer

    Posted Oct 13, 2021 04:50 AM
    Check the Access Tracker. You will see denied authentictions from your wireless devices against the wired mac auth services.

    Add Radius:Hewlett Packard HPE-Port-Macauth-Port-Mode = Port Mode and Radius:Hewlett Packard HPE-Port-Dot1x-Client-Limit = 0 to your AP Enforcement Profile.

    These rules will stop any new authentications on the switchport after the AP is authorized, basically trusting the attached device to handle the additional authentications. These are needed for any brand AP that bridges traffic.

    Rgds, Erik

    ------------------------------
    Erik Eckhardt
    ACMX #1245, ACDX #968, ACCP, ACSP
    ------------------------------



  • 8.  RE: ClearPass Configuration Problem

    Posted Oct 14, 2021 03:33 AM
    Thx a lot! You solved my problem.

    ------------------------------
    Matthias Pohl
    ------------------------------