We are in the beginning of a ClearPass rollout, with HP 3800's as our access layer. We have a MAC list for phones, and those are working via mac-based auth. Right now there is a pilot of one port - mine - using ClearPass. My laptop is plugged into the back of the phone, and although I get online and placed in the correct vlan, there is no actual enforcement profile given in the Access Tracker. I am also seeing this in the logs:
Any ideas what might be going on there? the only thing I could find on this site was to verify that the Insight Repository was an authorization source in the service, and it is.
Sure thing. Just in case, here is also the relevant HP switch portion of the config:
aaa accounting exec start-stop radiusaaa accounting network start-stop radiusaaa accounting system start-stop radiusaaa authentication login privilege-modeaaa authentication console login tacacs localaaa authentication console enable tacacs localaaa authentication ssh login tacacs localaaa authentication ssh enable tacacs localaaa authentication port-access eap-radiusaaa port-access gvrp-vlansaaa port-access authenticator 1/9aaa port-access authenticator 1/9 quiet-period 5aaa port-access authenticator 1/9 logoff-period 862400aaa port-access authenticator 1/9 client-limit 5aaa port-access authenticator activeaaa port-access mac-based 1/9aaa port-access mac-based 1/9 addr-limit 5aaa port-access mac-based 1/9 logoff-period 862400aaa port-access mac-based 1/9 quiet-period 30aaa port-access mac-based addr-format single-dashaaa port-access 1/9 mixed
it fails mac auth because only the phones are supposed to mac auth, but here it is failing the mac auth.
Sorry, I'm not following. So the phone is being MAC authenticated and the laptop is doing 802.1X?
That is correct
That was the first picture I attached.
It appears that the problem stems from the fact that there is no Endpoint information in the input profile of the device. Annoying to me is that I have an instance of CPPM running in QA, configured the same, same version, HP 3800 in QA, same config (CPPM-wise, but pointing at the prod CPPM), and the QA CPPM is getting the Endpoint info that the production CPPM isn't. They are using different radius keys and SNMP strings in QA and prod. Are there any special characters that aren't allowed by CPPM? Or, they are accepted, but cause problems?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.