Hi Victor,
this is the IAP configuration (I´ve deleted the CaptivePortal Part and the SSID which aren´t part of the problem):
version 8.8.0.0-8.8.0
virtual-controller-country DE
virtual-controller-key X
name VC-Extern
virtual-controller-ip X.X.X.X
syslog-level info
terminal-access
ntp-server X.X.X.X
clock timezone Berlin 01 00
clock summer-time CEST recurring last sunday march 02:00 last sunday october 03:00
rf-band all
dynamic-radius-proxy
ams-ip X.X.X.X
ams-key X
ams-identity X
allow-new-aps
allowed-ap XXX
snmp-server community XXXX
arm
wide-bands 5ghz
80mhz-support
min-tx-power 18
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
client-aware
scanning
client-match
client-match slb-mode 3
rf dot11g-radio-profile OC
spectrum-monitor
max-tx-power 127
min-tx-power 3
smart-antenna
rf dot11a-radio-profile OC
spectrum-monitor
max-tx-power 127
min-tx-power 3
smart-antenna
syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless
wlan access-rule OC-WLAN-Test
index 9
rule any any match any any any permit
wlan ssid-profile OC-WLAN-Test
enable
index 5
type employee
essid OC-WLAN-Test
opmode wpa2-aes
max-authentication-failures 0
auth-server clearpass
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
radius-accounting
radius-interim-accounting-interval 3
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
okc
dot11r
dot11k
dot11v
auth-survivability cache-time-out 24
mgmt-auth-server clearpass
mgmt-auth-server-local-backup
dpi
url-visibility
wlan auth-server clearpass
ip X.X.X.X
port 1812
acctport 1813
timeout 7
key X
nas-id aruba-master
rfc5997
rfc3576
cppm-rfc3576-port 3799
service-type-framed-user 1x
service-type-framed-user cp
service-type-framed-user mac
blacklist-time 3600
auth-failure-blacklist-time 3600
ids
wireless-containment none
infrastructure-detection-level medium
client-detection-level medium
infrastructure-protection-level low
client-protection-level low
wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x
enet0-port-profile default_wired_port_profile
uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180
cluster-security
allow-low-assurance-devices
------------------------------
Matthias Pohl
------------------------------
Original Message:
Sent: Oct 07, 2021 11:39 AM
From: Victor Fabian
Subject: ClearPass Configuration Problem
Can you please share your IAP configuration and ClearPass profile you are sending ?
------------------------------
Victor Fabian, ACEX#8
Mobility Architect @ WEI
Original Message:
Sent: Oct 07, 2021 09:22 AM
From: Matthias Pohl
Subject: ClearPass Configuration Problem
I´ve implemented a Wired-MAC based Service for my switch ports. The service checks the category of the device, which is connected to the switch (Computer,VoIP Phone,Access Point).
This works fine, the AccessPoint is recognized correctly and the appropiate VLANs are assigned (one untagged VLAN for the AP and two tagged VLANs).
If I now try to establish a Wifi connection the correct service is hit and the correct profile is assigned. But I looks like, if the VLANs isn´t assigned correctly (The client didn´t get an IP address, so I guess it´s not in the correct VLAN).
If I connect the AccessPoint to a port where I assign the VLANs (one unttagged, two tagged) static, everything is working fine. Not sure if it is a CPPM configuration or a switch configuration problem...
Switch: Aruba 2530, (YA.16.10.0013)
Access Point: Aruba IAP 305 (8.8.0.1)
------------------------------
Matthias Pohl
------------------------------