I am currently implementing OnConnect Enforcement in my lab environment and it's working relatively well. I am however having some intermittent issues with our NEC DT700 series VoIP phones. OnConnect successfully categorizes the phone and applies the correct role and enforcement profile, however when I look through the alerts tab in the access tracker I get the following:
SNMP Service: MAC address lookup failed for host=00-60-b9-8b-1a-98
As a result, no port change/reset is requested via SNMP to the switch. In this case, it is an Aruba 2920 running 16.06 firmware. ClearPass is on 6.7.0.
I can change the port and sometimes it will work successfully, without any further changes to configuration.
Any ideas? Many thanks.
Did you follow the ClearPass Solution Guide: Wired Policy Enforcement?
It has a section on OnConnect for the ArubaOS switches. From your error, there might be an issue with the SNMP traps for new MAC addresses not coming into the switch.
Having said that, if you have ArubaOS switches, in 99.9% of all cases, it is better to deploy MAC authentication together with Profiler for headless devices. It has better features and works much faster as MAC Authentication is pro-active (before the device connects to the network), and OnConnect is reactive (respond to SNMP traps) which works but is not the recommended way if you can do MAC Authentication and/or 802.1X.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.