Security

Dear Community,

we are currently using CX-6100 / Aruba-2530 devices with Mac-Based ClearPass.

CoA is working properly.

While connecting devices like Computer,Laptop,Printer,CCTV,.. devices showing up in AccessTracker.

The issue is while connecting old devices like Serial-Ethernet Converter, Epson recipient printer, ... devices are not showing in the AccessTracker.

I recently captured the uplink port with wireshark between the swtiches and clearpass. While connecting devices you can see radius packages requesting at clearpass.
While old devices are not requesting radius packages.

Same problem on both switch types. Heres an example config from one switch:

Current configuration:
!
!Version ArubaOS-CX PL.10.10.0002
!export-password: default
.
.
.
radius-server host SECRET key ciphertext SECRET
!
!
aaa group server radius cppm
server SECRET
!
aaa accounting port-access start-stop interim
!
radius dyn-authorization enable
!
radius dyn-authorization client SECRET secret-key SECRET
.
.
.
aaa authentication port-access mac-auth
radius server-group cppm
enable
.
.
.
interface 1/1/3
no shutdown
vlan access 1
aaa authentication port-access mac-auth
enable


Thanks until yet.

Best regards

Generally mac-auth will only occur when the switch sees an inbound packet from the device.  Printers and other devices are notoriously quite and don't send packets very often after they initially connect.

If the port goes into an un-authenticated state there isn't anything to trigger the auth.  

You can try restarting the devices then set the client-timeout in your RADIUS response to make sure that the device entries don't get removed.  I don't recall the specific VSA / role attribute for it but you can find it in the user manuals.
Original Message:
Sent: Sep 29, 2022 05:50 AM
From: Dennis Werz
Subject: Aruba CX-6100 / Aruba 2530 MAC-Based Auth. - Old device issues

Dear Community,

we are currently using CX-6100 / Aruba-2530 devices with Mac-Based ClearPass.

CoA is working properly.

While connecting devices like Computer,Laptop,Printer,CCTV,.. devices showing up in AccessTracker.

The issue is while connecting old devices like Serial-Ethernet Converter, Epson recipient printer, ... devices are not showing in the AccessTracker.

I recently captured the uplink port with wireshark between the swtiches and clearpass. While connecting devices you can see radius packages requesting at clearpass.
While old devices are not requesting radius packages.

Same problem on both switch types. Heres an example config from one switch:

Current configuration:
!
!Version ArubaOS-CX PL.10.10.0002
!export-password: default
.
.
.
radius-server host SECRET key ciphertext SECRET
!
!
aaa group server radius cppm
server SECRET
!
aaa accounting port-access start-stop interim
!
radius dyn-authorization enable
!
radius dyn-authorization client SECRET secret-key SECRET
.
.
.
aaa authentication port-access mac-auth
radius server-group cppm
enable
.
.
.
interface 1/1/3
no shutdown
vlan access 1
aaa authentication port-access mac-auth
enable


Thanks until yet.

Best regards

Check if you can configure MAC Pinning (for CX and for AOS-Switch)

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 29, 2022 05:50 AM
From: Dennis Werz
Subject: Aruba CX-6100 / Aruba 2530 MAC-Based Auth. - Old device issues

Dear Community,

we are currently using CX-6100 / Aruba-2530 devices with Mac-Based ClearPass.

CoA is working properly.

While connecting devices like Computer,Laptop,Printer,CCTV,.. devices showing up in AccessTracker.

The issue is while connecting old devices like Serial-Ethernet Converter, Epson recipient printer, ... devices are not showing in the AccessTracker.

I recently captured the uplink port with wireshark between the swtiches and clearpass. While connecting devices you can see radius packages requesting at clearpass.
While old devices are not requesting radius packages.

Same problem on both switch types. Heres an example config from one switch:

Current configuration:
!
!Version ArubaOS-CX PL.10.10.0002
!export-password: default
.
.
.
radius-server host SECRET key ciphertext SECRET
!
!
aaa group server radius cppm
server SECRET
!
aaa accounting port-access start-stop interim
!
radius dyn-authorization enable
!
radius dyn-authorization client SECRET secret-key SECRET
.
.
.
aaa authentication port-access mac-auth
radius server-group cppm
enable
.
.
.
interface 1/1/3
no shutdown
vlan access 1
aaa authentication port-access mac-auth
enable


Thanks until yet.

Best regards

Thanks for the provided informations.

We configured MAC-Pinning on 2530 with the same results. 

Is there a way to troubleshoot that there are mac packages coming from the device ?

Also i restarted the devices multiple times.

Original Message:
Sent: Oct 03, 2022 10:20 AM
From: Herman Robers
Subject: Aruba CX-6100 / Aruba 2530 MAC-Based Auth. - Old device issues

Check if you can configure MAC Pinning (for CX and for AOS-Switch)

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 29, 2022 05:50 AM
From: Dennis Werz
Subject: Aruba CX-6100 / Aruba 2530 MAC-Based Auth. - Old device issues

Dear Community,

we are currently using CX-6100 / Aruba-2530 devices with Mac-Based ClearPass.

CoA is working properly.

While connecting devices like Computer,Laptop,Printer,CCTV,.. devices showing up in AccessTracker.

The issue is while connecting old devices like Serial-Ethernet Converter, Epson recipient printer, ... devices are not showing in the AccessTracker.

I recently captured the uplink port with wireshark between the swtiches and clearpass. While connecting devices you can see radius packages requesting at clearpass.
While old devices are not requesting radius packages.

Same problem on both switch types. Heres an example config from one switch:

Current configuration:
!
!Version ArubaOS-CX PL.10.10.0002
!export-password: default
.
.
.
radius-server host SECRET key ciphertext SECRET
!
!
aaa group server radius cppm
server SECRET
!
aaa accounting port-access start-stop interim
!
radius dyn-authorization enable
!
radius dyn-authorization client SECRET secret-key SECRET
.
.
.
aaa authentication port-access mac-auth
radius server-group cppm
enable
.
.
.
interface 1/1/3
no shutdown
vlan access 1
aaa authentication port-access mac-auth
enable


Thanks until yet.

Best regards

If the device has a static IP address, change it to DHCP (with a reservation to the static IP if you need to have a predictable IP) or configure something on the device that will trigger traffic like a NTP server or syslog. After you have a single packet sent, mac-pinning should keep the port open.

Sounds like this is some very specific devices, as I don't know many devices that don't send any traffic.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 04, 2022 03:27 AM
From: Dennis Werz
Subject: Aruba CX-6100 / Aruba 2530 MAC-Based Auth. - Old device issues

Thanks for the provided informations.

We configured MAC-Pinning on 2530 with the same results.

Is there a way to troubleshoot that there are mac packages coming from the device ?

Also i restarted the devices multiple times.

Original Message:
Sent: Oct 03, 2022 10:20 AM
From: Herman Robers
Subject: Aruba CX-6100 / Aruba 2530 MAC-Based Auth. - Old device issues

Check if you can configure MAC Pinning (for CX and for AOS-Switch)

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 29, 2022 05:50 AM
From: Dennis Werz
Subject: Aruba CX-6100 / Aruba 2530 MAC-Based Auth. - Old device issues

Dear Community,

we are currently using CX-6100 / Aruba-2530 devices with Mac-Based ClearPass.

CoA is working properly.

While connecting devices like Computer,Laptop,Printer,CCTV,.. devices showing up in AccessTracker.

The issue is while connecting old devices like Serial-Ethernet Converter, Epson recipient printer, ... devices are not showing in the AccessTracker.

I recently captured the uplink port with wireshark between the swtiches and clearpass. While connecting devices you can see radius packages requesting at clearpass.
While old devices are not requesting radius packages.

Same problem on both switch types. Heres an example config from one switch:

Current configuration:
!
!Version ArubaOS-CX PL.10.10.0002
!export-password: default
.
.
.
radius-server host SECRET key ciphertext SECRET
!
!
aaa group server radius cppm
server SECRET
!
aaa accounting port-access start-stop interim
!
radius dyn-authorization enable
!
radius dyn-authorization client SECRET secret-key SECRET
.
.
.
aaa authentication port-access mac-auth
radius server-group cppm
enable
.
.
.
interface 1/1/3
no shutdown
vlan access 1
aaa authentication port-access mac-auth
enable


Thanks until yet.

Best regards