Security

Non the less have whomever wrote it update it. It is wrong.

This post led me to believe cappalli wrote it. 



------------------------------
Christopher Calhoun

Original Message:
Sent: Feb 16, 2021 03:52 PM
From: Alexis La Goutte
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

ccappali don't work for Aruba... but there is a new author of the doc (search on Airheads !)

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Feb 16, 2021 07:22 AM
From: Christopher Calhoun
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

You are welcome I noticed in the Wired Enforcement Policy Guide that there are some references to this that are incorrect. Ask me how I know? :) I typed them in and had weird issues. I sent a note to ccappali hopefully they can edit that.

-CC

------------------------------
Christopher Calhoun

Original Message:
Sent: Feb 16, 2021 03:18 AM
From: Tobias Gabriel
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

Hi Christopher,

you made my day.
That was the soloution for my problem.
Now everything is working with the restricted rule...

Thank you for your support Christopher.

------------------------------
Tobias Gabriel

Original Message:
Sent: Feb 15, 2021 08:37 PM
From: Christopher Calhoun
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

Leon,

I feel like you need to adjust your DHCP and DNS entries. Here is what I am using. DHCP will use a source port of 68 and dest port of 67 from the server. Same with DNS it is a destination port not a source port.

class ip DHCP
10 match udp any eq 68 any eq 67 count
exit

class ip DNS
10 match udp any any eq 53 count
exit


With your other rules your not permitting any traffic.

10 DHCP-DNS_TG_Aruba_CX_DUR_... ipv4 permit
30 VLAN25_TG_Aruba_CX_DUR_Ve... ipv4 drop
40 VLAN29_TG_Aruba_CX_DUR_Ve... ipv4 drop
100 alltraffic_TG_Aruba_CX_DU... ipv4 drop


Class Details:

class ip DHCP-DNS_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
10 match udp any eq 67 any
20 match udp any eq 68 any
30 match udp any eq 53 any
class ip VLAN25_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
10 match any any 192.168.25.0/255.255.255.0 count
class ip VLAN29_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
10 match any any 192.168.29.0/255.255.255.0
class ip alltraffic_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
20 match any any any

------------------------------
Christopher Calhoun

Original Message:
Sent: Feb 12, 2021 03:17 AM
From: Tobias Gabriel
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

Hi,

at the moment I´m working from home and I can only test with one Client with reomte connection.
Next week I am back at office and I will test the authentication with an other client.
Maybe you are right and this is only a client problem.

Thanks
Original Message:
Sent: Feb 11, 2021 05:45 AM
From: AutoCreation
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

That is strange. 
I just tested it in my setup. I built an ACL with only DNS and DHCP allowed and everything else denied, just like you.

Windows shows it is authenticated but the network is not identified, as expected, because I don't have a DHCP in my test environment.

The switch looks the same like yours. Does every Windows client show unauthenticated?

------------------------------
AutoCreation

Original Message:
Sent: Feb 11, 2021 03:16 AM
From: Tobias Gabriel
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated


Hi,

here is the switch output for the rule with the dorp at the ende:

show port-access clients detail

Port Access Client Status Details:

Client e8:9a:8f:27:91:33, SYSTEC\vertrieb-test
============================
Session Details
---------------
Port : 1/1/1
Session Time : 51s
IPv4 Address :
IPv6 Address :

VLAN Details
------------
VLAN Group Name :
VLANs Assigned : 26,30
Access : 30
Native Untagged : 30
Allowed Trunk : 26

Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted

Authorization Details
----------------------
Role : TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
Status : Applied


Role Information:

Name : TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
Type : clearpass
Status: Completed
----------------------------------------------
Reauthentication Period :
Cached Reauthentication Period :
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Gateway Zone :
UBT Gateway Role :
UBT Gateway Clearpass Role :
Access VLAN :
Native VLAN : 30
Allowed Trunk VLANs : 26
Access VLAN Name :
Native VLAN Name :
Allowed Trunk VLAN Names :
VLAN Group Name :
MTU :
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority :
Captive Portal Profile :
Policy : DUR-Vertrieb_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3


Access Policy Details:

Policy Name : DUR-Vertrieb_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
Policy Type : Downloaded
Policy Status : Applied

SEQUENCE CLASS TYPE ACTION
----------- ---------------------------- ---- ----------------------------------
10 DHCP-DNS_TG_Aruba_CX_DUR_... ipv4 permit
30 VLAN25_TG_Aruba_CX_DUR_Ve... ipv4 drop
40 VLAN29_TG_Aruba_CX_DUR_Ve... ipv4 drop
100 alltraffic_TG_Aruba_CX_DU... ipv4 drop


Class Details:

class ip DHCP-DNS_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
10 match udp any eq 67 any
20 match udp any eq 68 any
30 match udp any eq 53 any
class ip VLAN25_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
10 match any any 192.168.25.0/255.255.255.0 count
class ip VLAN29_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
10 match any any 192.168.29.0/255.255.255.0
class ip alltraffic_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
20 match any any any




Thanks

------------------------------
Tobias Gabriel

Original Message:
Sent: Feb 10, 2021 02:38 PM
From: Alexis La Goutte
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

the output of command ask by bkohnhe ( show port-access client detail)

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Feb 10, 2021 10:16 AM
From: Tobias Gabriel
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

Hi,

yes windows shows unauthenticated on the network adapter...

when I change the Acl Seq 100 alltraffic from drop to permit, everything works fine.


the switch shows authenticated on both

thanks
Original Message:
Sent: Feb 10, 2021 09:57 AM
From: AutoCreation
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

Hi Leon,

when you say the client says unauthenticated, do you mean that Windows shows that on the adapter setting? I would say that is a problem with Windows then, if everything else is working as expected.

What does the switch say when you look into the user with "show port-access client detail"?


------------------------------
AutoCreation

Original Message:
Sent: Feb 09, 2021 07:47 AM
From: Tobias Gabriel
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

Hello communitiy,

we have an Aruba CX 6300f switch and a Clearpass running.
We have configured downloadable user roles on the switch and the Clearpass.

after a successful authentication via 802.1x the client shows the status unauthenticated. However, it gets an IP and can access resources on the same network.
The switch displays the status authenticatied.

I think the error is in the acl that is downloaded on the switch.

the ACL see picture.

Non the less have whomever wrote it update it. It is wrong.

This post led me to believe cappalli wrote it. 



------------------------------
Christopher Calhoun

Original Message:
Sent: Feb 16, 2021 03:52 PM
From: Alexis La Goutte
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

ccappali don't work for Aruba... but there is a new author of the doc (search on Airheads !)

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Feb 16, 2021 07:22 AM
From: Christopher Calhoun
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

You are welcome I noticed in the Wired Enforcement Policy Guide that there are some references to this that are incorrect. Ask me how I know? :) I typed them in and had weird issues. I sent a note to ccappali hopefully they can edit that.

-CC

------------------------------
Christopher Calhoun

Original Message:
Sent: Feb 16, 2021 03:18 AM
From: Tobias Gabriel
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

Hi Christopher,

you made my day.
That was the soloution for my problem.
Now everything is working with the restricted rule...

Thank you for your support Christopher.

------------------------------
Tobias Gabriel

Original Message:
Sent: Feb 15, 2021 08:37 PM
From: Christopher Calhoun
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

Leon,

I feel like you need to adjust your DHCP and DNS entries. Here is what I am using. DHCP will use a source port of 68 and dest port of 67 from the server. Same with DNS it is a destination port not a source port.

class ip DHCP
10 match udp any eq 68 any eq 67 count
exit

class ip DNS
10 match udp any any eq 53 count
exit


With your other rules your not permitting any traffic.

10 DHCP-DNS_TG_Aruba_CX_DUR_... ipv4 permit
30 VLAN25_TG_Aruba_CX_DUR_Ve... ipv4 drop
40 VLAN29_TG_Aruba_CX_DUR_Ve... ipv4 drop
100 alltraffic_TG_Aruba_CX_DU... ipv4 drop


Class Details:

class ip DHCP-DNS_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
10 match udp any eq 67 any
20 match udp any eq 68 any
30 match udp any eq 53 any
class ip VLAN25_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
10 match any any 192.168.25.0/255.255.255.0 count
class ip VLAN29_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
10 match any any 192.168.29.0/255.255.255.0
class ip alltraffic_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
20 match any any any

------------------------------
Christopher Calhoun

Original Message:
Sent: Feb 12, 2021 03:17 AM
From: Tobias Gabriel
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

Hi,

at the moment I´m working from home and I can only test with one Client with reomte connection.
Next week I am back at office and I will test the authentication with an other client.
Maybe you are right and this is only a client problem.

Thanks
Original Message:
Sent: Feb 11, 2021 05:45 AM
From: AutoCreation
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

That is strange. 
I just tested it in my setup. I built an ACL with only DNS and DHCP allowed and everything else denied, just like you.

Windows shows it is authenticated but the network is not identified, as expected, because I don't have a DHCP in my test environment.

The switch looks the same like yours. Does every Windows client show unauthenticated?

------------------------------
AutoCreation

Original Message:
Sent: Feb 11, 2021 03:16 AM
From: Tobias Gabriel
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated


Hi,

here is the switch output for the rule with the dorp at the ende:

show port-access clients detail

Port Access Client Status Details:

Client e8:9a:8f:27:91:33, SYSTEC\vertrieb-test
============================
Session Details
---------------
Port : 1/1/1
Session Time : 51s
IPv4 Address :
IPv6 Address :

VLAN Details
------------
VLAN Group Name :
VLANs Assigned : 26,30
Access : 30
Native Untagged : 30
Allowed Trunk : 26

Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted

Authorization Details
----------------------
Role : TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
Status : Applied


Role Information:

Name : TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
Type : clearpass
Status: Completed
----------------------------------------------
Reauthentication Period :
Cached Reauthentication Period :
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Gateway Zone :
UBT Gateway Role :
UBT Gateway Clearpass Role :
Access VLAN :
Native VLAN : 30
Allowed Trunk VLANs : 26
Access VLAN Name :
Native VLAN Name :
Allowed Trunk VLAN Names :
VLAN Group Name :
MTU :
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority :
Captive Portal Profile :
Policy : DUR-Vertrieb_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3


Access Policy Details:

Policy Name : DUR-Vertrieb_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
Policy Type : Downloaded
Policy Status : Applied

SEQUENCE CLASS TYPE ACTION
----------- ---------------------------- ---- ----------------------------------
10 DHCP-DNS_TG_Aruba_CX_DUR_... ipv4 permit
30 VLAN25_TG_Aruba_CX_DUR_Ve... ipv4 drop
40 VLAN29_TG_Aruba_CX_DUR_Ve... ipv4 drop
100 alltraffic_TG_Aruba_CX_DU... ipv4 drop


Class Details:

class ip DHCP-DNS_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
10 match udp any eq 67 any
20 match udp any eq 68 any
30 match udp any eq 53 any
class ip VLAN25_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
10 match any any 192.168.25.0/255.255.255.0 count
class ip VLAN29_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
10 match any any 192.168.29.0/255.255.255.0
class ip alltraffic_TG_Aruba_CX_DUR_Vertrieb_restricted-3083-3
20 match any any any




Thanks

------------------------------
Tobias Gabriel

Original Message:
Sent: Feb 10, 2021 02:38 PM
From: Alexis La Goutte
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

the output of command ask by bkohnhe ( show port-access client detail)

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Feb 10, 2021 10:16 AM
From: Tobias Gabriel
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

Hi,

yes windows shows unauthenticated on the network adapter...

when I change the Acl Seq 100 alltraffic from drop to permit, everything works fine.


the switch shows authenticated on both

thanks
Original Message:
Sent: Feb 10, 2021 09:57 AM
From: AutoCreation
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

Hi Leon,

when you say the client says unauthenticated, do you mean that Windows shows that on the adapter setting? I would say that is a problem with Windows then, if everything else is working as expected.

What does the switch say when you look into the user with "show port-access client detail"?


------------------------------
AutoCreation

Original Message:
Sent: Feb 09, 2021 07:47 AM
From: Tobias Gabriel
Subject: Aruba CX 6300F with Clearpass DUR Client shows unauthenticated

Hello communitiy,

we have an Aruba CX 6300f switch and a Clearpass running.
We have configured downloadable user roles on the switch and the Clearpass.

after a successful authentication via 802.1x the client shows the status unauthenticated. However, it gets an IP and can access resources on the same network.
The switch displays the status authenticatied.

I think the error is in the acl that is downloaded on the switch.

the ACL see picture.