today I made my first expierience with Aruba Clearpass.
At first I would like to use a simple wired mac authentication configuration.
If an endpoint has a special attribut, e.g. "VOIP" he will receive a special VLAN and the session will be authenticated on the switch port.
I already created the roles, role mappings, profiles and a policy.
In the access tracker we can see, that the client on the switch has been authenticated successfully and that the correct VLAN has been send to the switch: Radius Response: "Radius:Aruba:Aruba-User-Vlan 230"
But on the switch we do not see the correct VLAN. Only the following:
switch-stack-3# sh port-access 1/11 mac-based clients detailed
Port Access MAC-Based Client Status Detailed
Client Base Details :Port : 1/11Client Status : authenticated Session Time : 6 secondsMAC Address : 805ec0-1b84d3 Session Timeout : 0 secondsIP : n/a
Access Policy Details :COS Map : Not Defined In Limit Kbps : Not SetUntagged VLAN : 1 Out Limit Kbps : Not SetTagged VLANs : No Tagged VLANsPort Mode : 100FDx Auth Mode : User-basedRADIUS ACL List : No Radius ACL List
Auth Order : Not SetAuth Priority : Not SetLMA Fallback : Disabled
The switch configuration looks like this:
switch-stack-3# sh run | inc radiusradius-server host 172.X.X.X key "secret"radius-server host 172.X.X.X dyn-authorizationradius-server host 172.X.X.X time-window 600aaa authentication port-access eap-radius
interface 1/11untagged vlan 1aaa port-access mac-basedaaa port-access mac-based addr-limit 2aaa port-access mac-based addr-movesaaa port-access mac-based unauth-vid 999exit
Has anybody an idea what could be wrong?
Thanks and best regards
Which switches are you using here? When I last checked, even though HP have rebranded their switches as Aruba, you cannot use the Aruba VSAs to send back a VLAN.
Can you change your enforcement profile to return the IETF:Tunnel-Private-Group-ID with VLAN 250 instead? You may also need to add RADIUS:IETF:Tunnel-Type=VLAN and RADIUS:IETF:Tunnel-Medium-Type=IEEE802.
There is an excellent document that details a lot of this stuff here: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17690
Thanks for your feedback! That was exactly the problem. I use Aruba 2930F switches. But you are right, they are more HP than Aruba. :-)
After I switched to RADIUS:IETF everything worked properly.
The PDF is very nice! Thanks a lot!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.