But for some reason they don't show any connected clients in Airwave.
My Airwave is currently set in Monitor-Only mode. Switches connected via SNMP v2 (don't think they support v3 yet)
But if I look into my switches they also don't show me any clients connected. Am I missing something?
Traffic shows up, just no clients...
What version of software are the switches running? What version of Airwave? Try a manual "poll now", you can also try deleting the device and re-adding it, I've had Airwave get funky sometimes when adding devices.As a side note, the 2930F should support snmpv3 (although it shouldn't make a difference in this case)
Heh so apparently they're not F-series but M-series...According to the data that Airwave's picking up;
Firmware WC.16.07.0003 (ROM: WC.17.02.0006)
Airwave is on the latest version 184.108.40.206
Don't know if it matters but we're managing everything with Clearpass.
But I think the issue is located at the switches themselves, when I look at them via the webgui, Security > Clients
it's just saying
Are you using user-roles? If so, does "show port-access clients" show anything?If not using user-roles, you can do show port-access <authenticator> or <mac-based>The other thing to check is if you have "ip client-tracker trusted" enabled in the configThat hardware definetely supports snmpv3 (Again, shouldn't matter, just more of a FYI)snmpv3 enable
snmpv3 user <username> auth <type> <password> priv <type> <password>snmpv3 group managerpriv user <username> sec-model ver3
Are you using user-roles? No, I don't see any user-roles configured.
If not using user-roles, you can do show port-access <authenticator> or <mac-based>
We don't do mac-based auth on switch level, so I guess I'll need this <authenticator>-thing though I have no clue what that should be...
EDIT: hmm looks to me no authenticator is configured...
show port-access authenticator
gives me the following;
Port-access authenticator activated [No] : NoAllow RADIUS-assigned dynamic (GVRP) VLANs [No] : NoUse LLDP data to authenticate [No] : No
The other thing to check is if you have "ip client-tracker trusted" enabled in the config
It's there in the config alright, is ip client-tracker trusted enough? We also have ip client-tracker probe-delay 270 but that seems rather harmless of a setting...
I may be wrong(if so someone please correct me), but I thought clients would only show up if they get authenticated via port-access (either with user-roles, dot1x or mac auth)
What does show port-access summary show?As a comparison, mine looks like this
Hmm so we need to setup port-access auth if we want to see some IP's showing up here... I think we only have VLANS configured in the switches and manage the rest of it via Clearpass. Though I hardly think there's any managing going on atm...
That's showing that there isn't any authentication taking place on any of the ports. Is that intentional? You said these are managed by clearpass, so I would assume you want them doing RADIUS?I thought that the client list (in both airwave and the web GUI) would be empty unless some form of authentication took place. (I don't have any documentation to back that up, that's just what I've noticed and thought)
Intentional? No idea, I can't see why we wouldn't want this. We hire consultants to come and configure this for us...
show authentication gives me this;
Your reaction leads me to believe that our switches are only configured for 1/3 or so... *sigh*
If you have clearpass, and you want it to authenticate the devices plugging in, then these are not configured fully.The first step is to make sure that clearpass is defined
that should show your Clearpass server IP(s)If they are in there, you should be able to run this command against a specific interface to turn on MAC Authentication
aaa port-access mac-based <interface>
Then if you plug a device in, it should show up in Clearpass, and hopefully, the client list.There's a great document on getting all that set up here*I did test with one of my switches, and a client doesn't show up in the security>clients list unless it did authentication - running version 16.08.0003*
had a talk with my colleague about this, apparently this setup is intentional and indeed as long as we don't setup NAC we won't be able to identify clients... So this ends up on our todo-list... 2020?
Thanks again for the info.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.