Security

Good day,

I'm struggling with an issue.

I want to autenticatie my Aruba Instant cluster with ClearPass. That works, the AP is found, receving the right untagged vlan.

In my ClearPass config I have the tagged vlan set with the HPE Egress vlan ID.

I can see in my Aruba 2540 switch the tagged vlans received.

When I want to connect to one of the SSID, I don;t receive an IP-address. The firewall is the DHCP server in this case.

ClearPass will put my client in the right vlan. 

I've tried many switchport options, but ClearPass will push the tagged vlans.

The client output in the switch

Client Base Details :
   Port            : 46                    Authentication Type : mac-based
   Client Status   : rejected no vlan      Session Time        : 11 seconds
   Client Name     : 466c7c0cd922          Session Timeout     : 0 seconds
   MAC Address     : 466c7c-0cd922

No user roles or whatever is used.

What do I miss? I found other topics related to my issue, but did not work.

Thanks for our reply

Regards,

Erik

Hi Erik

It looks like you are performing authentication of the wireless client in the switch as well to me. Is that correct?

The right way to do this is to set the switch port to device-mode and not authenticate the wireless clients in the switch. Instead they should be authenticated in the access point.

I think this is the correct Aruba Radius attribute to send:

I often use Downloadable User roles, thus I'm a bit unsecure if it's the correct one.

So in ClearPass you will authenticate the access point with a wired service, and the wireless clients with a service for wireless clients.

Also for the troubleshooting, verify that the client VLAN works as intended by temporary configure a port without authentication and untagged VLAN 5 and connect a client. Does the client get an IP and is able to communicate normally.

Good day,

I'm struggling with an issue.

I want to autenticatie my Aruba Instant cluster with ClearPass. That works, the AP is found, receving the right untagged vlan.

In my ClearPass config I have the tagged vlan set with the HPE Egress vlan ID.

I can see in my Aruba 2540 switch the tagged vlans received.

When I want to connect to one of the SSID, I don;t receive an IP-address. The firewall is the DHCP server in this case.

ClearPass will put my client in the right vlan. 

I've tried many switchport options, but ClearPass will push the tagged vlans.

The client output in the switch

Client Base Details :
   Port            : 46                    Authentication Type : mac-based
   Client Status   : rejected no vlan      Session Time        : 11 seconds
   Client Name     : 466c7c0cd922          Session Timeout     : 0 seconds
   MAC Address     : 466c7c-0cd922

No user roles or whatever is used.

What do I miss? I found other topics related to my issue, but did not work.

Thanks for our reply

Regards,

Erik

Hi Erik

It looks like you are performing authentication of the wireless client in the switch as well to me. Is that correct?

The right way to do this is to set the switch port to device-mode and not authenticate the wireless clients in the switch. Instead they should be authenticated in the access point.

I think this is the correct Aruba Radius attribute to send:

I often use Downloadable User roles, thus I'm a bit unsecure if it's the correct one.

So in ClearPass you will authenticate the access point with a wired service, and the wireless clients with a service for wireless clients.

Also for the troubleshooting, verify that the client VLAN works as intended by temporary configure a port without authentication and untagged VLAN 5 and connect a client. Does the client get an IP and is able to communicate normally.

Good day,

I'm struggling with an issue.

I want to autenticatie my Aruba Instant cluster with ClearPass. That works, the AP is found, receving the right untagged vlan.

In my ClearPass config I have the tagged vlan set with the HPE Egress vlan ID.

I can see in my Aruba 2540 switch the tagged vlans received.

When I want to connect to one of the SSID, I don;t receive an IP-address. The firewall is the DHCP server in this case.

ClearPass will put my client in the right vlan. 

I've tried many switchport options, but ClearPass will push the tagged vlans.

The client output in the switch

Client Base Details :
   Port            : 46                    Authentication Type : mac-based
   Client Status   : rejected no vlan      Session Time        : 11 seconds
   Client Name     : 466c7c0cd922          Session Timeout     : 0 seconds
   MAC Address     : 466c7c-0cd922

No user roles or whatever is used.

What do I miss? I found other topics related to my issue, but did not work.

Thanks for our reply

Regards,

Erik

Hi Jonas,

my Aruba 2540 does not have the device mode option, CX is does.

Do you mean this?

device-profile name "default-ap-profile"
   untagged-vlan 31
   tagged-vlan 5,6
   exit
device-profile type "aruba-ap"
   enable
   exit

Thanks in advance

Erik

Hi Erik

It looks like you are performing authentication of the wireless client in the switch as well to me. Is that correct?

The right way to do this is to set the switch port to device-mode and not authenticate the wireless clients in the switch. Instead they should be authenticated in the access point.

I think this is the correct Aruba Radius attribute to send:

I often use Downloadable User roles, thus I'm a bit unsecure if it's the correct one.

So in ClearPass you will authenticate the access point with a wired service, and the wireless clients with a service for wireless clients.

Also for the troubleshooting, verify that the client VLAN works as intended by temporary configure a port without authentication and untagged VLAN 5 and connect a client. Does the client get an IP and is able to communicate normally.

Good day,

I'm struggling with an issue.

I want to autenticatie my Aruba Instant cluster with ClearPass. That works, the AP is found, receving the right untagged vlan.

In my ClearPass config I have the tagged vlan set with the HPE Egress vlan ID.

I can see in my Aruba 2540 switch the tagged vlans received.

When I want to connect to one of the SSID, I don;t receive an IP-address. The firewall is the DHCP server in this case.

ClearPass will put my client in the right vlan. 

I've tried many switchport options, but ClearPass will push the tagged vlans.

The client output in the switch

Client Base Details :
   Port            : 46                    Authentication Type : mac-based
   Client Status   : rejected no vlan      Session Time        : 11 seconds
   Client Name     : 466c7c0cd922          Session Timeout     : 0 seconds
   MAC Address     : 466c7c-0cd922

No user roles or whatever is used.

What do I miss? I found other topics related to my issue, but did not work.

Thanks for our reply

Regards,

Erik

Do you have the command device port-mode in the switch?

It's the same in 2930F and other AOS switches I have worked with. So I expect it to be present also in 2540:

Hi Jonas,

my Aruba 2540 does not have the device mode option, CX is does.

Do you mean this?

device-profile name "default-ap-profile"
   untagged-vlan 31
   tagged-vlan 5,6
   exit
device-profile type "aruba-ap"
   enable
   exit

Thanks in advance

Erik

Hi Erik

It looks like you are performing authentication of the wireless client in the switch as well to me. Is that correct?

The right way to do this is to set the switch port to device-mode and not authenticate the wireless clients in the switch. Instead they should be authenticated in the access point.

I think this is the correct Aruba Radius attribute to send:

I often use Downloadable User roles, thus I'm a bit unsecure if it's the correct one.

So in ClearPass you will authenticate the access point with a wired service, and the wireless clients with a service for wireless clients.

Also for the troubleshooting, verify that the client VLAN works as intended by temporary configure a port without authentication and untagged VLAN 5 and connect a client. Does the client get an IP and is able to communicate normally.

Good day,

I'm struggling with an issue.

I want to autenticatie my Aruba Instant cluster with ClearPass. That works, the AP is found, receving the right untagged vlan.

In my ClearPass config I have the tagged vlan set with the HPE Egress vlan ID.

I can see in my Aruba 2540 switch the tagged vlans received.

When I want to connect to one of the SSID, I don;t receive an IP-address. The firewall is the DHCP server in this case.

ClearPass will put my client in the right vlan. 

I've tried many switchport options, but ClearPass will push the tagged vlans.

The client output in the switch

Client Base Details :
   Port            : 46                    Authentication Type : mac-based
   Client Status   : rejected no vlan      Session Time        : 11 seconds
   Client Name     : 466c7c0cd922          Session Timeout     : 0 seconds
   MAC Address     : 466c7c-0cd922

No user roles or whatever is used.

What do I miss? I found other topics related to my issue, but did not work.

Thanks for our reply

Regards,

Erik

Switch(config)# aaa authentication port-access
 local                 Use local switch user/password database.
 eap-radius            Use EAP capable RADIUS server.
 chap-radius           Use CHAP (MD5) capable RADIUS server

No auth-mode even on the 3930M as on the 2540.

Thanks,

Erik

Do you have the command device port-mode in the switch?

It's the same in 2930F and other AOS switches I have worked with. So I expect it to be present also in 2540:

Hi Jonas,

my Aruba 2540 does not have the device mode option, CX is does.

Do you mean this?

device-profile name "default-ap-profile"
   untagged-vlan 31
   tagged-vlan 5,6
   exit
device-profile type "aruba-ap"
   enable
   exit

Thanks in advance

Erik

Hi Erik

It looks like you are performing authentication of the wireless client in the switch as well to me. Is that correct?

The right way to do this is to set the switch port to device-mode and not authenticate the wireless clients in the switch. Instead they should be authenticated in the access point.

I think this is the correct Aruba Radius attribute to send:

I often use Downloadable User roles, thus I'm a bit unsecure if it's the correct one.

So in ClearPass you will authenticate the access point with a wired service, and the wireless clients with a service for wireless clients.

Also for the troubleshooting, verify that the client VLAN works as intended by temporary configure a port without authentication and untagged VLAN 5 and connect a client. Does the client get an IP and is able to communicate normally.

Good day,

I'm struggling with an issue.

I want to autenticatie my Aruba Instant cluster with ClearPass. That works, the AP is found, receving the right untagged vlan.

In my ClearPass config I have the tagged vlan set with the HPE Egress vlan ID.

I can see in my Aruba 2540 switch the tagged vlans received.

When I want to connect to one of the SSID, I don;t receive an IP-address. The firewall is the DHCP server in this case.

ClearPass will put my client in the right vlan. 

I've tried many switchport options, but ClearPass will push the tagged vlans.

The client output in the switch

Client Base Details :
   Port            : 46                    Authentication Type : mac-based
   Client Status   : rejected no vlan      Session Time        : 11 seconds
   Client Name     : 466c7c0cd922          Session Timeout     : 0 seconds
   MAC Address     : 466c7c-0cd922

No user roles or whatever is used.

What do I miss? I found other topics related to my issue, but did not work.

Thanks for our reply

Regards,

Erik

You can create a local user role on the switch, configure the role to include device-mode operation.

https://www.arubanetworks.com/techdocs/AOS-S/16.11/ASG/YC/content/common%20files/aaa-aut-use-rol-nam-por-mod16.htm

Or, return the HPE-Port-Dot1x-Port-Mode VSA that puts the port in device mode.

https://community.arubanetworks.com/discussion/mac-authentication-aos-s

Switch(config)# aaa authentication port-access
 local                 Use local switch user/password database.
 eap-radius            Use EAP capable RADIUS server.
 chap-radius           Use CHAP (MD5) capable RADIUS server

No auth-mode even on the 3930M as on the 2540.

Thanks,

Erik

Do you have the command device port-mode in the switch?

It's the same in 2930F and other AOS switches I have worked with. So I expect it to be present also in 2540:

Hi Jonas,

my Aruba 2540 does not have the device mode option, CX is does.

Do you mean this?

device-profile name "default-ap-profile"
   untagged-vlan 31
   tagged-vlan 5,6
   exit
device-profile type "aruba-ap"
   enable
   exit

Thanks in advance

Erik

Hi Erik

It looks like you are performing authentication of the wireless client in the switch as well to me. Is that correct?

The right way to do this is to set the switch port to device-mode and not authenticate the wireless clients in the switch. Instead they should be authenticated in the access point.

I think this is the correct Aruba Radius attribute to send:

I often use Downloadable User roles, thus I'm a bit unsecure if it's the correct one.

So in ClearPass you will authenticate the access point with a wired service, and the wireless clients with a service for wireless clients.

Also for the troubleshooting, verify that the client VLAN works as intended by temporary configure a port without authentication and untagged VLAN 5 and connect a client. Does the client get an IP and is able to communicate normally.

Good day,

I'm struggling with an issue.

I want to autenticatie my Aruba Instant cluster with ClearPass. That works, the AP is found, receving the right untagged vlan.

In my ClearPass config I have the tagged vlan set with the HPE Egress vlan ID.

I can see in my Aruba 2540 switch the tagged vlans received.

When I want to connect to one of the SSID, I don;t receive an IP-address. The firewall is the DHCP server in this case.

ClearPass will put my client in the right vlan. 

I've tried many switchport options, but ClearPass will push the tagged vlans.

The client output in the switch

Client Base Details :
   Port            : 46                    Authentication Type : mac-based
   Client Status   : rejected no vlan      Session Time        : 11 seconds
   Client Name     : 466c7c0cd922          Session Timeout     : 0 seconds
   MAC Address     : 466c7c-0cd922

No user roles or whatever is used.

What do I miss? I found other topics related to my issue, but did not work.

Thanks for our reply

Regards,

Erik