Erik, would recommend working with Aruba TAC. From a distance, config looks good. I don't see an indication of capacity issues, if the system is not really loaded.
Service categorization should just work with these 4 rules, as these seem independent from the exact ClearPass server.
Could it be that the switch takes a different route, so has a different source IP to the secondary ClearPass server?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: May 12, 2021 01:51 PM
From: Erik Eckhardt
Subject: Clearpass subscriber service categroisation failure
Hi Herman,
no difference between pub and sub access tracker record details.
Standard MAC Auth service selection criteria with a switch group added to differentiate between 2 different type of Cisco switches. The 4500 chassis used in one of the locations did not accept downloadable access lists
------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
Original Message:
Sent: May 12, 2021 11:25 AM
From: Herman Robers
Subject: Clearpass subscriber service categroisation failure
Do you see something in that non-matched service Access Tracker entry?
What are your Service Classification rules? You can create Service Classification based on the destination (i.e. ClearPass) IP, in which case the match works on one of your server; that may be the case.
Or could the NAD have different NAS-Identifiers or similar for each of the servers, making the match fail?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: May 11, 2021 02:54 PM
From: Erik Eckhardt
Subject: Clearpass subscriber service categroisation failure
Hi,
anyone has an explanation for below behaviour? .10 is publisher, .11 is subscriber. Why would a subcriber not be able to do service categorization while the publisher can? Service configuration is exactly the same. Note that the subscriber is the primary radius server on the switch (Cisco 3850). Both Clearpass nodes are C3010 Hardware Appliances running 6.9.5
Second issue, laptops are no longer profiled as Computer, Windows but all as Category Generic with the MAC Vendor as OSFamily. I can't tell if it's a bug in Clearpass or in Windows. Both Clearpass nodes added on all L3 interfaces. This is a school system affecting about 10 different schools in multiple systems. School opened after COVID lockdown eased. Tests after upgrade to 6.9.5 all passed but this was a month ago. These are newly profiled laptops of 1 specific type as far as we can tell but there are multiple mac vendors in play.
thanks,
Erik
edit to add: No spikes in CPU or RAM usage reported on both nodes. A huge spike in requests mainly caused by the mentioned issues so thats explainable. Average of about 4000 licenses used out of 25K available.
------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------