i'm trying to get dynamic VLANs working between Juniper EX switches and ClearPass, everything seems to work except for the VLAN assigment.
I get this on the Juniper log:
Apr 12 11:24:11.229779 Received invalid tunnel type 16777229 from authentication server
while on the ClearPass i certainly have type 13 (VLAN) configured for tunnel type (64).
after doing a packet capture it seems the issue lies with the juniper, the correct info is send by the ClearPass.
Tunnel-Private-Group-Id(81) the vlan name (or id, i tried both)
and two things the ClearPass adds:
Session-Timeout 10800Termination-Action RADIUS-Request (1)
does anyone have dynamic VLANs working with the ClearPass? especially with different vendor switches? cisco, juniper, ....?
tried to trouble shoot this with juniper support, but nothing wrong seemed to be found.
tried with Microsoft IAS instead of ClearPass and then it works ...
checked the packetcaptures and it seems they are identical except that IAS sends the data with Radius tag 0x00 and ClearPass does it with tag 0x01.
AVP: l=6 t=Tunnel-Type(64) Tag=0x00: VLAN(13)
AVP: l=6 t=Tunnel-Medium-Type(65) Tag=0x00: IEEE-802(6)
AVP: l=4 t=Tunnel-Private-Group-Id(81): 21
AVP: l=6 t=Tunnel-Type(64) Tag=0x01: VLAN(13)
AVP: l=6 t=Tunnel-Medium-Type(65) Tag=0x01: IEEE-802(6)
AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20
anyone know if i can get the ClearPass to use tag 0x00?
By default ClearPass sets the value of tag to 0x1 as indicated by the packet capture. The steps to send tag 0x0
from ClearPass are:
1) Navigate to Administration » Dictionaries » RADIUS screen.
2) Search for Avenda RADIUS dictionary and click on the entry. In the RADIUS Attributes
popup, click on Enable to enable the dictionary.
3) Edit the enforcement profile and add the attribute
Radius:Avenda Avenda-Tag-Id 0
thank you very much (and also Aruba support), this does indeed do the trick and the Juniper EX switch accepts this.
a very flexible product ClearPass.
I have the same issue with Juniper EX switch dynamic VLAN assignment with ClearPass.
As the posture status is unhealthy it should assign Quarantine VLAN. The switch side the port is dynamically changing the VLAN membership but on the endpoint side, the IP address from quarantine VLAN is assigning after doing IPCONFIG release and renew. is there any additional settings are needed to change from healthy VLAN to Quarantine VLAN dynamically.
It sounds like the endpoint failed to obtain IP address (did not recognize the vlan change) from the quarantine vlan.
You can try "agent bounce" instead of Radius disconnect(CoA) in the WebAuth service, when an active client need to be moved from health vlan to quarantine vlan (or just use "agent bounce" enforcement only when the client helth token is Quaranitne).
Agent bounce will force the client to obtain(renew) the IP from Quarantine VLAN.
I tried adding avenda-tag-id and it is working. Juniper switch dynamically assign the VLANs based on the conditions. but the problem is the IP address is assigning to the endpoint but not the gateway address.
This is happening when we enable the posture conditions in the dot1x service.
Also, It is taking very long time to sign out from the machine and we are using Windows10. I am using the persistent OnGuard agent.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.