Security

last person joined: 2 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

OnConnect Intermittent Issues

This thread has been viewed 0 times
  • 1.  OnConnect Intermittent Issues

    Posted Aug 01, 2018 07:38 PM

    Hi All,

     

    I am currently implementing OnConnect Enforcement in my lab environment and it's working relatively well. I am however having some intermittent issues with our NEC DT700 series VoIP phones. OnConnect successfully categorizes the phone and applies the correct role and enforcement profile, however when I look through the alerts tab in the access tracker I get the following:

     

    SNMP Service: MAC address lookup failed for host=00-60-b9-8b-1a-98

    Enforcement failed

     

    As a result, no port change/reset is requested via SNMP to the switch. In this case, it is an Aruba 2920 running 16.06 firmware. ClearPass is on 6.7.0.

     

    I can change the port and sometimes it will work successfully, without any further changes to configuration.

     

    Any ideas? Many thanks.

     



  • 2.  RE: OnConnect Intermittent Issues

    Posted Aug 02, 2018 03:26 AM

    Did you follow the ClearPass Solution Guide: Wired Policy Enforcement?

     

    It has a section on OnConnect for the ArubaOS switches. From your error, there might be an issue with the SNMP traps for new MAC addresses not coming into the switch.

     

    Having said that, if you have ArubaOS switches, in 99.9% of all cases, it is better to deploy MAC authentication together with Profiler for headless devices. It has better features and works much faster as MAC Authentication is pro-active (before the device connects to the network), and OnConnect is reactive (respond to SNMP traps) which works but is not the recommended way if you can do MAC Authentication and/or 802.1X.