Security

Hi,

anyone has an explanation for below behaviour? .10 is publisher, .11 is subscriber. Why would a subcriber not be able to do service categorization while the publisher can? Service configuration is exactly the same. Note that the subscriber is the primary radius server on the switch (Cisco 3850). Both Clearpass nodes are C3010 Hardware Appliances running 6.9.5

Second issue, laptops are no longer profiled as Computer, Windows but all as Category Generic with the MAC Vendor as OSFamily. I can't tell if it's a bug in Clearpass or in Windows. Both Clearpass nodes added on all L3 interfaces. This is a school system affecting about 10 different schools in multiple systems. School opened after COVID lockdown eased. Tests after upgrade to 6.9.5 all passed but this was a month ago. These are newly profiled laptops of 1 specific type as far as we can tell but there are multiple mac vendors in play.

thanks,
Erik






------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------

Do you see something in that non-matched service Access Tracker entry?
What are your Service Classification rules? You can create Service Classification based on the destination (i.e. ClearPass) IP, in which case the match works on one of your server; that may be the case.
Or could the NAD have different NAS-Identifiers or similar for each of the servers, making the match fail?


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: May 11, 2021 02:54 PM
From: Erik Eckhardt
Subject: Clearpass subscriber service categroisation failure

Hi,

anyone has an explanation for below behaviour? .10 is publisher, .11 is subscriber. Why would a subcriber not be able to do service categorization while the publisher can? Service configuration is exactly the same. Note that the subscriber is the primary radius server on the switch (Cisco 3850). Both Clearpass nodes are C3010 Hardware Appliances running 6.9.5

Second issue, laptops are no longer profiled as Computer, Windows but all as Category Generic with the MAC Vendor as OSFamily. I can't tell if it's a bug in Clearpass or in Windows. Both Clearpass nodes added on all L3 interfaces. This is a school system affecting about 10 different schools in multiple systems. School opened after COVID lockdown eased. Tests after upgrade to 6.9.5 all passed but this was a month ago. These are newly profiled laptops of 1 specific type as far as we can tell but there are multiple mac vendors in play.

thanks,
Erik






------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------

Hi Herman,

no difference between pub and sub access tracker record details.

Standard MAC Auth service selection criteria with a switch group added to differentiate between 2 different type of Cisco switches. The 4500 chassis used in one of the locations did not accept downloadable access lists


------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------

Original Message:
Sent: May 12, 2021 11:25 AM
From: Herman Robers
Subject: Clearpass subscriber service categroisation failure

Do you see something in that non-matched service Access Tracker entry?
What are your Service Classification rules? You can create Service Classification based on the destination (i.e. ClearPass) IP, in which case the match works on one of your server; that may be the case.
Or could the NAD have different NAS-Identifiers or similar for each of the servers, making the match fail?


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: May 11, 2021 02:54 PM
From: Erik Eckhardt
Subject: Clearpass subscriber service categroisation failure

Hi,

anyone has an explanation for below behaviour? .10 is publisher, .11 is subscriber. Why would a subcriber not be able to do service categorization while the publisher can? Service configuration is exactly the same. Note that the subscriber is the primary radius server on the switch (Cisco 3850). Both Clearpass nodes are C3010 Hardware Appliances running 6.9.5

Second issue, laptops are no longer profiled as Computer, Windows but all as Category Generic with the MAC Vendor as OSFamily. I can't tell if it's a bug in Clearpass or in Windows. Both Clearpass nodes added on all L3 interfaces. This is a school system affecting about 10 different schools in multiple systems. School opened after COVID lockdown eased. Tests after upgrade to 6.9.5 all passed but this was a month ago. These are newly profiled laptops of 1 specific type as far as we can tell but there are multiple mac vendors in play.

thanks,
Erik


edit to add: No spikes in CPU or RAM usage reported on both nodes. A huge spike in requests mainly caused by the mentioned issues so thats explainable. Average of about 4000 licenses used out of 25K available.


------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------

Erik, would recommend working with Aruba TAC. From a distance, config looks good. I don't see an indication of capacity issues, if the system is not really loaded.

Service categorization should just work with these 4 rules, as these seem independent from the exact ClearPass server.

Could it be that the switch takes a different route, so has a different source IP to the secondary ClearPass server?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: May 12, 2021 01:51 PM
From: Erik Eckhardt
Subject: Clearpass subscriber service categroisation failure

Hi Herman,

no difference between pub and sub access tracker record details.

Standard MAC Auth service selection criteria with a switch group added to differentiate between 2 different type of Cisco switches. The 4500 chassis used in one of the locations did not accept downloadable access lists

Here is the fun part. After removing the category=computer from the enforcement policy rule so enforcement is just done on guest device role, the endpoint is properly profiled as computer and there is no issue with service categorisation by the subscriber anymore. 

Could this be a capacity issue? System is not even on full load. Currently less the 10K concurrent authentications and this system should be designed for 25K concurrent authentications. I noticed some other threads mentioning profiling takes longer than 5 minutes in 6.9.5. 

I have upped the session timeout on the profiling vlan enforcement to 450 seconds to test this theory.

Would adding a dedicated Publisher, not handling any authentications help? Could this dedicated Publisher be a C1000 h/w appliance or a Publisher run in Azure? This customer has no hypervisor on prem.

thanks
Erik

------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP

Original Message:
Sent: May 12, 2021 11:25 AM
From: Herman Robers
Subject: Clearpass subscriber service categroisation failure

Do you see something in that non-matched service Access Tracker entry?
What are your Service Classification rules? You can create Service Classification based on the destination (i.e. ClearPass) IP, in which case the match works on one of your server; that may be the case.
Or could the NAD have different NAS-Identifiers or similar for each of the servers, making the match fail?


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: May 11, 2021 02:54 PM
From: Erik Eckhardt
Subject: Clearpass subscriber service categroisation failure

Hi,

anyone has an explanation for below behaviour? .10 is publisher, .11 is subscriber. Why would a subcriber not be able to do service categorization while the publisher can? Service configuration is exactly the same. Note that the subscriber is the primary radius server on the switch (Cisco 3850). Both Clearpass nodes are C3010 Hardware Appliances running 6.9.5

Second issue, laptops are no longer profiled as Computer, Windows but all as Category Generic with the MAC Vendor as OSFamily. I can't tell if it's a bug in Clearpass or in Windows. Both Clearpass nodes added on all L3 interfaces. This is a school system affecting about 10 different schools in multiple systems. School opened after COVID lockdown eased. Tests after upgrade to 6.9.5 all passed but this was a month ago. These are newly profiled laptops of 1 specific type as far as we can tell but there are multiple mac vendors in play.

thanks,
Erik


edit to add: No spikes in CPU or RAM usage reported on both nodes. A huge spike in requests mainly caused by the mentioned issues so thats explainable. Average of about 4000 licenses used out of 25K available.


------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------