Security

 View Only
last person joined: 9 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

adding device to clearpass

This thread has been viewed 6 times
  • 1.  adding device to clearpass

    Posted Aug 21, 2024 12:59 PM

    i am new to cleaarpass and trying to add cisco switch and other pc attached to the switch,

    i have added below radius configuration to the switch (switch can ping clearpass and vice versa)

    aaa new-model
    !
    !
    aaa authentication dot1x default group radius
    aaa authorization exec default local group radius 
    aaa authorization network default group radius 
    aaa accounting dot1x default start-stop group radius
     
    !
    aaa server radius dynamic-author
     client 10.20.20.254 server-key 123
     port 3799
     auth-type all
    !
    !
     dot1x system-auth-control
    !
    !
     interface eth 0/0   ( connected to PC)
     switchport mode access
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     mab
     dot1x pae authenticator
     !
    !
     snmp-server community CPPM RO
    !
    !
    radius server CPPM
     address ipv4 10.20.20.254 auth-port 1645 acct-port 1646
     key 123
     
    when I add device IP in clearpass it does not show on endpoints or access tracker any devices, also I added wired service
    what is the configuration needed between the cisco switch interface and clearpass.
    other word clearpass does not react at all to the connected devices.
     


  • 2.  RE: adding device to clearpass

    Posted Aug 21, 2024 01:29 PM

    Hi

    If you check the Event log, do you get error messages about an unknown device trying to authenticate?

    Before the switch can communicate with ClearPass you need to allow it under Configuration \ Network \ Devices. Add the switch IP or the subnet, specify Vendor as Cisco and provide the same shared secret as in the switch. In your configuration above 123. Consider making the shared secret a bit longer.

    You can find the documentation how to implement the Wired enforcement in this document:
    ClearPass Solution Guide Wired Policy Enforcement

    This will describe both the ClearPass configuration and the switch configuration.

    From page 128 you have the Cisco switch configuration



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------