View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass rolemapping ArubaOS and CX

This thread has been viewed 35 times
  • 1.  ClearPass rolemapping ArubaOS and CX

    Posted Feb 20, 2024 10:27 AM

    Hi Gents,

    in my project I have 30 ArubaOS switches and about 70 Aruba CX switches to authenticate user with EAP-TLS.

    All switches are managed in one vlan.

    The NAD devices are found by the management subnet. Is there a way to make a difference between authentication from an Aruba OS and Aruba CX switch?

    ArubaOS uses for example the HPE user roles, while CX uses Aruba user roles. Creating double services is an option but how can I fix it without having much administration?

    The ArubaOS switches will be replaced in 2024.

    Now I have a role mapping for OS and CX switches but the enforcement is not what it must be. I receive both roles and enforcements. It's an ugly config.

    Any suggestion? I was looking for a NAS ID, but I have to enter all switch names or IP-addresses into it.

    I don;t want to enter all switches by hand.

  • 2.  RE: ClearPass rolemapping ArubaOS and CX
    Best Answer

    Posted Feb 20, 2024 10:34 AM

    You can use Role Mapping to assign a Tips Role and then match that in your Enforcement to send back the correct config.

    Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement EXISTS assign role ArubaOS-Switch

    Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement NOT_EXISTS assign role ArubaCX-Switch

  • 3.  RE: ClearPass rolemapping ArubaOS and CX

    Posted Feb 20, 2024 10:47 AM

    Thanks, seems to work on CX. Will test it tomorrow on OS.

    How did you get this entry? I was searching in the request, couldn't find anything.



  • 4.  RE: ClearPass rolemapping ArubaOS and CX

    Posted Feb 21, 2024 04:14 AM

    These radius attributes are sent from an ArubaOS switch and not CX so can be used to distinguish between each.

  • 5.  RE: ClearPass rolemapping ArubaOS and CX

    Posted Feb 21, 2024 04:21 AM

    great! Thanks for this clarification.

  • 6.  RE: ClearPass rolemapping ArubaOS and CX

    Posted Mar 14, 2024 05:36 AM

    Hi ,

    When connecting a client it works on both. When connecting a VOIP-phone on an Aruba OS switch and a client it works.

    It does not work when I connect a client behind a VOIP-phone on a CX switch when using EAP.

    EAP packets are dropped, timeouts in ClearPass. It seems that Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement NOT_EXISTS won't give the user that given role, so the client does not recieve the role configured to get on the network.

    VOIP-phones are Alcatel Lucent. Any suggestions?

  • 7.  RE: ClearPass rolemapping ArubaOS and CX

    Posted Mar 15, 2024 11:45 AM

    Do you see the correct role returned by ClearPass for devices that do successfully authenticate? That is what you originally opened this thread for.

    To troubleshoot this further, it may be good to work with your Aruba partner or Aruba TAC. There is a lot of logs available, and you can run packet captures and debugging to find what is actually happening here. If you know whats going on, it's probably trivial to change the config which apparently has something misconfigured for your scenario.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 8.  RE: ClearPass rolemapping ArubaOS and CX

    Posted 27 days ago

    In this scenario the client does not receive the correct role. It cannot complete EAP transaction.

    I already made packet captures and shared it with TAC. I have a switch case, maybe I have to open a ClearPass case as well.

    Thanks Herman