Wireless Access

Using 8.6.0.4, with a 2 node 7240XM cluster, and trying to bring up an AP-303H as a RAP, using Activate for ZTP.

 

When syncing the activate whitelist to the MM, I get *every* AP from activate in the list, and they all get assigned an inner IP from the cluster rap pool.  I'm not comfortable with my campus APs being in my RAP whitelist.

 

Next I set up external whitelisting in Clearpass, and I only get the devices that are in the specific folder that I'm testing with.  But, they don't get an inner IP.

 

I've seen some 8.0.1 docs that say external whitelisting can't be used for clusters, but a lot of other stuff has changed since then.

 

I think I'm down to either manual whitelisting on the MM, or assigning the IP in Clearpass.

 

Anyone see something I missed?

 

Andrew

Have you seen this video here?  https://community.arubanetworks.com/t5/Video/How-To-Configure-ClearPass-to-Sync-The-RAP-Whitelist-from-Aruba/ta-p/646646

 

And this Video:  https://community.arubanetworks.com/t5/Video/How-To-Configure-an-Aruba-Mobility-Controller-to-use-ClearPass/ta-p/646655  

Hi cjoseph;

I used that step by step to set up Clearpass, actually. Once I set up L3 auth to use Clearpass it worked fine, and I can see the RAPs authenticating in access tracker .

The only problem is they don’t get an IP from the rap pool on the mobility master. The “controller cluster rap pool” defined in the MM root does not appear in the MD roles either.

Andrew

You can try setting it up in the folder with the MD.  Please see the guide here:  https://support.hpe.com/hpesc/public/docDisplay?docId=a00097853en_us

Worth a try maybe, but the docs explicitly say to do it at the MM level if using clustered controllers. I assume because you wouldn’t get failover otherwise.

The RAP does get an IP if the whitelist is on the MM. It’s just that having hundreds of CAPs from activate show up on the controller RAP whitelist that makes my spidey sense tingle.

Maybe this is just an enhancement request. Clearpass can filter to a single folder, activate sync from the controller can’t.

Actually, I just noticed something interesting. This is a new install of 8.6, with a few dozen APs already running. None of those APs are in activate. I wonder if an AP will drop out of the RAP whitelist once it’s provisioned as a CAP? I’ll get my SE to add a couple of those to activate and report back.

Andrew

I am trying to understand your concerns by re-reading your previous post.

 

If you do the pool at the MM level and it works, good.

 

"It’s just that having hundreds of CAPs from activate show up on the controller RAP whitelist that makes my spidey sense tingle." - One of the Videos tells you how to only synchronize mac addresses in ClearPass  to a specific folder in Activate so that does not happen.

 

I don't think the MM can synchronize a specific folder in Activate, so don't use that.

 

Please open a TAC case or even your SE to get the rest sorted out.  It would be much easier to explain it to them.

 

 

 

 

 

Sorry, I do tend to think out loud. Here’s the summarized version.

Syncing the mobility master with activate results in a very large RAP whitelist. The solution, as you point out, is to use Clearpass as an external whitelist, because it can be restricted to the desired subset of devices in activate.

That isn’t working for me. The RAP does not get an inner IP from the mm cluster-rap-pool when connecting to a clustered control if an external whitelist is used.

Andrew

Got it.  Let me check on that.

On a side note, I just went over to innovate.arrubanetworks.com and filtering the whitelist on the cluster is already there as an idea.

Tell all your friends. Vote early, vote often.