Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass OnGuard with Meraki Wireless - Dropped Connections

This thread has been viewed 18 times
  • 1.  Clearpass OnGuard with Meraki Wireless - Dropped Connections

    Posted Feb 14, 2024 01:57 PM

    We are working on an implementation that consists of Clearpass (with OnGuard) and Meraki wireless. We are having issues with clients roaming between Meraki AP's and re-authenticating.  When clients are roaming between AP's, they are re-authenticating against Clearpass.  The issue we are experiencing is if the OnGuard posture status cache has expired (which happens after 5 minutes) then the client will connect and the posture be seen as "unknown" which then places the client on the Quarantine VLAN until a new "Healthy" assessment is reported by the Agent.  When that happens, Clearpass will send down a Meraki-Terminate-Session which then pushes another re-authentication and places the client in the correct VLAN.  We have a TAC case open but the TAC engineer said this is expected.  Our customer is not accepting this as all wireless connections should be seamless when roaming (which I agree).  Is there a better way to accomplish seamless roaming when utilizing OnGuard with Meraki wireless?  Thank you!  



  • 2.  RE: Clearpass OnGuard with Meraki Wireless - Dropped Connections

    Posted Feb 14, 2024 04:53 PM

    What kind of roaming settings do you have enabled on the Meraki WLAN? 



    ------------------------------
    If my post was useful, please Accept Solution and Give Kudos.
    ------------------------------
    Zak Chalupka
    Principal Engineer - HPE Aruba
    ACDX | ACMP | ACSP | ACCP
    wifizak@hpe.com
    ------------------------------
    Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
    ------------------------------



  • 3.  RE: Clearpass OnGuard with Meraki Wireless - Dropped Connections

    Posted Feb 19, 2024 08:33 AM

    We have 802.11r enabled but since we have CoA enabled we cannot enable 802.11k or v.  Thank you.




  • 4.  RE: Clearpass OnGuard with Meraki Wireless - Dropped Connections

    EMPLOYEE
    Posted Feb 15, 2024 03:57 AM

    You can change the Posture Cache timeout under Service Configuration, Service Parameters, ClearPass Network Services, to value that does work:

    Or play with the OnGuard keepalive and Check Interval settings (under Global Agent Settings).

    I agree that on a roam the client should not go through a full reauthentication, which may be a misconfiguration in the WLAN settings.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Clearpass OnGuard with Meraki Wireless - Dropped Connections

    Posted Feb 19, 2024 08:44 AM

    Thanks Herman.  We will adjust the cache timeout and see if that improves the roaming re-auth.  Unfortunately there are not many bells and whistles to adjust with Meraki.  We have 802.11r enabled but cannot enable 802.11 k and v since we have CoA enabled on that .1x SSID.