last person joined: 22 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

First ClearPass installation: problems with wired mac authentication

Jump to Best Answer
  • 1.  First ClearPass installation: problems with wired mac authentication

    Posted Feb 04, 2019 11:20 AM

    Dear community,


    today I made my first expierience with Aruba Clearpass.

    At first I would like to use a simple wired mac authentication configuration.


    If an endpoint has a special attribut, e.g. "VOIP" he will receive a special VLAN and the session will be authenticated on the switch port.


    I already created the roles, role mappings, profiles and a policy.




    In the access tracker we can see, that the client on the switch has been authenticated successfully and that the correct VLAN has been send to the switch: Radius Response: "Radius:Aruba:Aruba-User-Vlan 230"



    But on the switch we do not see the correct VLAN. Only the following:


    switch-stack-3# sh port-access 1/11 mac-based clients detailed

    Port Access MAC-Based Client Status Detailed

    Client Base Details :
    Port : 1/11
    Client Status : authenticated Session Time : 6 seconds
    MAC Address : 805ec0-1b84d3 Session Timeout : 0 seconds
    IP : n/a

    Access Policy Details :
    COS Map : Not Defined In Limit Kbps : Not Set
    Untagged VLAN : 1 Out Limit Kbps : Not Set
    Tagged VLANs : No Tagged VLANs
    Port Mode : 100FDx Auth Mode : User-based
    RADIUS ACL List : No Radius ACL List

    Auth Order : Not Set
    Auth Priority : Not Set
    LMA Fallback : Disabled


    The switch configuration looks like this:


    switch-stack-3# sh run | inc radius
    radius-server host 172.X.X.X key "secret"
    radius-server host 172.X.X.X dyn-authorization
    radius-server host 172.X.X.X time-window 600
    aaa authentication port-access eap-radius


    interface 1/11
    untagged vlan 1
    aaa port-access mac-based
    aaa port-access mac-based addr-limit 2
    aaa port-access mac-based addr-moves
    aaa port-access mac-based unauth-vid 999


    Has anybody an idea what could be wrong?


    Thanks and best regards


  • 2.  RE: First ClearPass installation: problems with wired mac authentication
    Best Answer

    Posted Feb 05, 2019 10:37 AM

    Hi Alex


    Which switches are you using here? When I last checked, even though HP have rebranded their switches as Aruba, you cannot use the Aruba VSAs to send back a VLAN.


    Can you change your enforcement profile to return the IETF:Tunnel-Private-Group-ID with VLAN 250 instead? You may also need to add RADIUS:IETF:Tunnel-Type=VLAN and RADIUS:IETF:Tunnel-Medium-Type=IEEE802.


    There is an excellent document that details a lot of this stuff here:

  • 3.  RE: First ClearPass installation: problems with wired mac authentication

    Posted Feb 05, 2019 10:45 AM

    Hi Dave!


    Thanks for your feedback! That was exactly the problem. I use Aruba 2930F switches. But you are right, they are more HP than Aruba. :-)


    After I switched to RADIUS:IETF everything worked properly.


    The PDF is very nice! Thanks a lot!


    Best Regards.