Hi,
Quick about the setup:
* Aruba Central managed with switches and access points.
* Aruba 3810M core switch connected to the ISP router connected to our companys data centre. (everything on the WAN side is working)
* Aruba 2530 access switches
* Aruba AP505
* AP is added and is using the Virtual Controller.
* ClearPass is installed and working, but I have not applied 802.1X and MAC auth for all switches. This is because we have not migrated everything over and doing things in steps to keep old and new setup in parallell.
* This is a Network-as-a-Service solution and is supposed to be simple and scalable, easy to add and remove devices.
The issue I have at the moment:
1. Activated MAC-auth and 802.1X on 1 switch for all ports except uplinks.
2. Connected an Aruba 505 AP to a switchport
3. the Switch (NAD) sends a RADIUS request to ClearPass. NAD is added as network device so that is ok.
4. ClearPass classifies it as a role I named Aruba_AP and returns untagged VLAN and several Tagged VLANs (HPE-Egress-VLAN-ID) and looks like this:
5. The switch sets VLAN1 untagged and tags the other VLANs correctly for the switch port.
6. The SSID is set up with WPA/PSK (their old setup) and is set to Static VLAN 30.
7. The device that connects with the correct password gets VLAN30 but no IP address.
8. ClearPass also picks up every device that is trying to connect with MAC auth and is allowing the connection and returning VLAN30 as the value.
Q: How can I prevent every user from trying to MAC Auth to ClearPass after successfully authenticating with the password?
Q: Why is it not receiving an IP from the DHCP server after successfully connecting to a SSID with a static VLAN when the switchport is tagged correctly.
NB! This works with an SSID that has ClearPass as authentication when connecting with a valid certificate with EAP-TLS as auth method and is returned VLAN10, VLAN30 also works and Dynamic VLAN assignment is added. Not for PSK and static. I also tried PSK and dynamic.
------
However it works without MAC Auth and 802.1X and the setup is like this:
1. Aruba AP is connected to the switch.
2. The switch has activated "Device Profile" and sets the untagged and tagged VLAN values to the switchport when it know it is an AP connected.
3. Users connect to the same SSID with the same PW.
4. Static VLAN 30 is returned to the user
5. The user receives an IP address and voila.
Q: Why is this working and not the other solution involving ClearPass when it returns the same VLANs?
---
Another issue that has been noticed is that Aruba switches has had problems receiving IP addresses on a port to the ISP.
DHCP relay is added on the ISP router, but it was not working on a trunk port untill moved to another L3 port.
Is DHCP relay needed to be added pr. switch basis even if directly connected to the router?
---
Anyone have any similar setups and experienced these issues?
------------------------------
Rikard Berg
------------------------------