Security

 View Only
last person joined: 9 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Aruba CX-6100 / Aruba 2530 MAC-Based Auth. - Old device issues

This thread has been viewed 20 times
  • 1.  Aruba CX-6100 / Aruba 2530 MAC-Based Auth. - Old device issues

    Posted Sep 29, 2022 05:50 AM
    Dear Community,

    we are currently using CX-6100 / Aruba-2530 devices with Mac-Based ClearPass.

    CoA is working properly.

    While connecting devices like Computer,Laptop,Printer,CCTV,.. devices showing up in AccessTracker.

    The issue is while connecting old devices like Serial-Ethernet Converter, Epson recipient printer, ... devices are not showing in the AccessTracker.

    I recently captured the uplink port with wireshark between the swtiches and clearpass. While connecting devices you can see radius packages requesting at clearpass.
    While old devices are not requesting radius packages.

    Same problem on both switch types. Heres an example config from one switch:

    Current configuration:
    !
    !Version ArubaOS-CX PL.10.10.0002
    !export-password: default
    .
    .
    .
    radius-server host SECRET key ciphertext SECRET
    !
    !
    aaa group server radius cppm
    server SECRET
    !
    aaa accounting port-access start-stop interim
    !
    radius dyn-authorization enable
    !
    radius dyn-authorization client SECRET secret-key SECRET
    .
    .
    .
    aaa authentication port-access mac-auth
    radius server-group cppm
    enable
    .
    .
    .
    interface 1/1/3
    no shutdown
    vlan access 1
    aaa authentication port-access mac-auth
    enable


    Thanks until yet.

    Best regards


  • 2.  RE: Aruba CX-6100 / Aruba 2530 MAC-Based Auth. - Old device issues

    EMPLOYEE
    Posted Sep 30, 2022 06:33 PM
    Generally mac-auth will only occur when the switch sees an inbound packet from the device.  Printers and other devices are notoriously quite and don't send packets very often after they initially connect.

    If the port goes into an un-authenticated state there isn't anything to trigger the auth.

    You can try restarting the devices then set the client-timeout in your RADIUS response to make sure that the device entries don't get removed.  I don't recall the specific VSA / role attribute for it but you can find it in the user manuals.


  • 3.  RE: Aruba CX-6100 / Aruba 2530 MAC-Based Auth. - Old device issues

    EMPLOYEE
    Posted Oct 03, 2022 10:21 AM
    Check if you can configure MAC Pinning (for CX and for AOS-Switch)

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Aruba CX-6100 / Aruba 2530 MAC-Based Auth. - Old device issues

    Posted Oct 04, 2022 03:28 AM

    Thanks for the provided informations.

    We configured MAC-Pinning on 2530 with the same results.

    Is there a way to troubleshoot that there are mac packages coming from the device ?

    Also i restarted the devices multiple times.




  • 5.  RE: Aruba CX-6100 / Aruba 2530 MAC-Based Auth. - Old device issues

    EMPLOYEE
    Posted Oct 11, 2022 05:03 AM
    If the device has a static IP address, change it to DHCP (with a reservation to the static IP if you need to have a predictable IP) or configure something on the device that will trigger traffic like a NTP server or syslog. After you have a single packet sent, mac-pinning should keep the port open.

    Sounds like this is some very specific devices, as I don't know many devices that don't send any traffic.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------