Security

Hi,

I am facing a few problems related to ClearPass and Aruba Central.
We are using Aruba Central to manage switches and access points.
The switches is AOS (2530 series mainly) and the access points are Aruba 505.

1. The network management VLAN is using the same /24 subnet that is used for only these devices, we have 31 small remote branch offices and a 2 larger main headquarters and each location has its own /24 subnet for network devices.

When defining the Network device in ClearPass I have to use "Hewlett Packard Enterprise" as vendor for switches, but the Aruba 505 needs "Aruba" as vendor and this presents an issue when they are on the same subnet.  All the network devices are on DHCP because this is a NaaS solution we will host for a client. So if new equipment is added to the network it can get shipped to the location and plugged in and it will get the required config from Aruba Central as long as the device has been added to the correct group and has a valid license. 

Any tips on how to deal with this scenario?

2. In Aruba central I set up the "device profiling option" so it can automatically assign the correct VLANs to the switchport. If I add MAC auth on this port and I have only a radius accept message in ClearPass the switchport will not get untagged and tagged VLANs the way the device profiling option works. Is there a way to make this work? 

3. I want 1 SSID for all devices, so an employee will be able to get its employee VLAN, and if it has a user in AD but the device is not an employee PC it should give a guest VLAN. I have added a service for this in ClearPass, but I am not seeing any traffic in to ClearPass from the AP configured in Central.
In Central I have added the SSID then the following:
* Client IP - External DHCP server
* Client VLAN assignment - Dynamic
* VLAN assignment rules - Default "guest (named VLAN)"
Then a rule under to return VLAN as Aruba-UserVLAN that I have set up in ClearPass.
Under security I have added primary and secondary server for ClearPass Published and subscriber. 
When I try to connect, nothing comes in the access tracker, but if I put MAC auth on the switchport it will. This could be a firewall related issue that the traffic is blocked.

Hopefully anyone has run into similar issues and would be able to point me in the right direction.

Thanks in advance,











------------------------------
Rikard Berg
------------------------------

Hi Rikard,

Do you have found a solution ?

You can filter on service type on CPPM (not the same between a wireless user and wired)

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281
------------------------------

Original Message:
Sent: Apr 14, 2021 08:41 AM
From: Rikard Berg
Subject: ClearPass and Aruba Central

Hi,

I am facing a few problems related to ClearPass and Aruba Central.
We are using Aruba Central to manage switches and access points.
The switches is AOS (2530 series mainly) and the access points are Aruba 505.

1. The network management VLAN is using the same /24 subnet that is used for only these devices, we have 31 small remote branch offices and a 2 larger main headquarters and each location has its own /24 subnet for network devices.

When defining the Network device in ClearPass I have to use "Hewlett Packard Enterprise" as vendor for switches, but the Aruba 505 needs "Aruba" as vendor and this presents an issue when they are on the same subnet.  All the network devices are on DHCP because this is a NaaS solution we will host for a client. So if new equipment is added to the network it can get shipped to the location and plugged in and it will get the required config from Aruba Central as long as the device has been added to the correct group and has a valid license. 

Any tips on how to deal with this scenario?

2. In Aruba central I set up the "device profiling option" so it can automatically assign the correct VLANs to the switchport. If I add MAC auth on this port and I have only a radius accept message in ClearPass the switchport will not get untagged and tagged VLANs the way the device profiling option works. Is there a way to make this work? 

3. I want 1 SSID for all devices, so an employee will be able to get its employee VLAN, and if it has a user in AD but the device is not an employee PC it should give a guest VLAN. I have added a service for this in ClearPass, but I am not seeing any traffic in to ClearPass from the AP configured in Central.
In Central I have added the SSID then the following:
* Client IP - External DHCP server
* Client VLAN assignment - Dynamic
* VLAN assignment rules - Default "guest (named VLAN)"
Then a rule under to return VLAN as Aruba-UserVLAN that I have set up in ClearPass.
Under security I have added primary and secondary server for ClearPass Published and subscriber. 
When I try to connect, nothing comes in the access tracker, but if I put MAC auth on the switchport it will. This could be a firewall related issue that the traffic is blocked.

Hopefully anyone has run into similar issues and would be able to point me in the right direction.

Thanks in advance,











------------------------------
Rikard Berg
------------------------------