Network Management

last person joined: an hour ago 

Keep an informative eye on your network with IMC and Airwave network management solutions.
Expand all | Collapse all

Added our 2930F Series switches to Airwave.

Jump to Best Answer
  • 1.  Added our 2930F Series switches to Airwave.

    Posted Dec 10, 2019 02:58 AM

    But for some reason they don't show any connected clients in Airwave.

     

    My Airwave is currently set in Monitor-Only mode. Switches connected via SNMP v2 (don't think they support v3 yet)

     

    But if I look into my switches they also don't show me any clients connected. Am I missing something?

     

    Traffic shows up, just no clients...



  • 2.  RE: Added our 2930F Series switches to Airwave.

    Posted Dec 10, 2019 08:09 AM

    What version of software are the switches running? What version of Airwave? 

    Try a manual "poll now", you can also try deleting the device and re-adding it, I've had Airwave get funky sometimes when adding devices.

    As a side note, the 2930F should support snmpv3 (although it shouldn't make a difference in this case)


     

     



  • 3.  RE: Added our 2930F Series switches to Airwave.

    Posted Dec 10, 2019 08:25 AM

    Heh so apparently they're not F-series but M-series...

    According to the data that Airwave's picking up;

     

    Aruba 2930M-48G-PoE+

    Firmware WC.16.07.0003 (ROM: WC.17.02.0006)

     

    Airwave is on the latest version 8.2.10.0

     

    Don't know if it matters but we're managing everything with Clearpass.

     

    But I think the issue is located at the switches themselves, when I look at them via the webgui, Security > Clients

    it's just saying

     

    "

    No Clients Connected
    Additional client information available when one or more clients are connected
    "


  • 4.  RE: Added our 2930F Series switches to Airwave.

    Posted Dec 10, 2019 08:47 AM

    Are you using user-roles? If so, does "show port-access clients" show anything?

    If not using user-roles, you can do show port-access <authenticator> or <mac-based>

    The other thing to check is if you have "ip client-tracker trusted" enabled in the config


    That hardware definetely supports snmpv3 (Again, shouldn't matter, just more of a FYI)
    snmpv3 enable

    snmpv3 user <username> auth <type> <password> priv <type> <password>
    snmpv3 group managerpriv user <username> sec-model ver3

     



  • 5.  RE: Added our 2930F Series switches to Airwave.

    Posted Dec 10, 2019 08:58 AM

    Are you using user-roles? No, I don't see any user-roles configured.

     

    If not using user-roles, you can do show port-access <authenticator> or <mac-based>

    We don't do mac-based auth on switch level, so I guess I'll need this <authenticator>-thing though I have no clue what that should be... 

     

    EDIT: hmm looks to me no authenticator is configured...

    show port-access authenticator

    gives me the following;

     

    Port-access authenticator activated [No] : No
    Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
    Use LLDP data to authenticate [No] : No

     

    The other thing to check is if you have "ip client-tracker trusted" enabled in the config

    It's there in the config alright, is ip client-tracker trusted enough? We also have ip client-tracker probe-delay 270 but that seems rather harmless of a setting...



  • 6.  RE: Added our 2930F Series switches to Airwave.

    Posted Dec 10, 2019 09:21 AM

    I may be wrong(if so someone please correct me), but I thought clients would only show up if they get authenticated via port-access (either with user-roles, dot1x or mac auth)

    What does show port-access summary show?

    As a comparison, mine looks like this

    port-access.PNG





  • 7.  RE: Added our 2930F Series switches to Airwave.

    Posted Dec 10, 2019 09:25 AM

    none.png

     

    Hmm so we need to setup port-access auth if we want to see some IP's showing up here... I think we only have VLANS configured in the switches and manage the rest of it via Clearpass. Though I hardly think there's any managing going on atm...



  • 8.  RE: Added our 2930F Series switches to Airwave.

    Posted Dec 10, 2019 09:35 AM

    That's showing that there isn't any authentication taking place on any of the ports. Is that intentional? You said these are managed by clearpass, so I would assume you want them doing RADIUS?

    I thought that the client list (in both airwave and the web GUI) would be empty unless some form of authentication took place. (I don't have any documentation to back that up, that's just what I've noticed and thought)



  • 9.  RE: Added our 2930F Series switches to Airwave.

    Posted Dec 10, 2019 09:47 AM

    Intentional? No idea, I can't see why we wouldn't want this. We hire consultants to come and configure this for us...

     

    show authentication gives me this;

     

    auth.png

     

    Your reaction leads me to believe that our switches are only configured for 1/3 or so... *sigh*



  • 10.  RE: Added our 2930F Series switches to Airwave.
    Best Answer

    Posted Dec 10, 2019 12:09 PM

    If you have clearpass, and you want it to authenticate the devices plugging in, then these are not configured fully.

    The first step is to make sure that clearpass is defined

     

    "show radius"

     

    that should show your Clearpass server IP(s)

    If they are in there, you should be able to run this command against a specific interface to turn on MAC Authentication

    aaa port-access mac-based <interface>

     

    Then if you plug a device in, it should show up in Clearpass, and hopefully, the client list.

    There's a great document on getting all that set up here

    *I did test with one of my switches, and a client doesn't show up in the security>clients list unless it did authentication - running version 16.08.0003*



  • 11.  RE: Added our 2930F Series switches to Airwave.

    Posted Dec 11, 2019 11:29 AM

    had a talk with my colleague about this, apparently this setup is intentional and indeed as long as we don't setup NAC we won't be able to identify clients... So this ends up on our todo-list... 2020?

     

    Thanks again for the info.