Cloud Managed Networks

Hello
It is possible to configure mac caching on this scenario:

1 gateway managed by aruba central with Aruba OS 10  on tunnel mode
Im trying to do it but with no luck.  i got the same scenario but instead of using gateway and central *i just use and instant with OS8 and it works just fine.

I also tried configuing mac caching with cloud authentication and hte Tac told me that on tunnel mode it was not possible, and i had to do it on bridge mode. On bridge mode worked.   He told me that it should work with clearpass on tunnel mode but im unable to do it

Anyways the configuration is the fallowing
I have  a group of APS
And another group for the gateway
I go to the group of APs i add the SSID of the guest network i add the guest vlan i hit and put tunnel mode and i select the cluster, on security i slide to visitors, i click to external captive portal, i seclect the captive portal profile, which i put the hostname and the /guest/landingpage.php  of the clearpass, i select my clearpass as primary server, i hit on mac authentication for the mac caching, and the accounting use the authenticated srver, then just click next next finish.

I was checking on the gateway group if something was missing i mean the mac authentication config but it seems there, it seems that it does that all automatically.
I also uploaded the cert to aruba central then assigned it to the gateway group on the captive portal certificate

I dont know what im missing, but i doubt is something on the clearpass, i think its something on the aruba central, gateway end.
The certificate on the clearpass is there, the 2 services for the mac authentication, also self registration page all is already done.

Any ideas what i could missing? when i see the access tracker i get something like this

Policy server	Failed to construct filter=SELECT CASE WHEN expire_time is null or expire_time > now() THEN 'false' ELSE 'true' END AS is_expired, CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')). Failed to get value for attributes=[AccountEnabled, AccountExpired]
RADIUS	[Endpoints Repository] - localhost: User not found. Applied 'Reject' profile

It seems like tips roles its never equal to [Guest]  (i used the mac caching template to build it)

But like i said i have a lab that works fine with instant and aruba os8 with the same rules on the clearpass but does not work with the aruba os10 on tunnel mode with aruba central and the gateway

Does the request in ClearPass map to the correct (expected) service?
Can you share the other output of Access Tracker?
Can you share the configured service?
Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
What other Authorization Sources have you added in addition to Endpoints Repository?

The Policy server 'Failed to construct' messages (everything in the box) would be expected for an unknown client (no entry in the Endpoint Database yet) and if you include the Guest User Database as authorization source.

There is quite some information to analyze, and I could imagine that you prefer to discuss the detailed configuration with your Aruba Partner or Aruba Support, but with the information above it may be possible to find out what needs to be done.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 14, 2022 12:35 AM
From: Carlos De La Rosa
Subject: configuring mac caching

Hello
It is possible to configure mac caching on this scenario:

1 gateway managed by aruba central with Aruba OS 10  on tunnel mode
Im trying to do it but with no luck.  i got the same scenario but instead of using gateway and central *i just use and instant with OS8 and it works just fine.

I also tried configuing mac caching with cloud authentication and hte Tac told me that on tunnel mode it was not possible, and i had to do it on bridge mode. On bridge mode worked.   He told me that it should work with clearpass on tunnel mode but im unable to do it

Anyways the configuration is the fallowing
I have  a group of APS
And another group for the gateway
I go to the group of APs i add the SSID of the guest network i add the guest vlan i hit and put tunnel mode and i select the cluster, on security i slide to visitors, i click to external captive portal, i seclect the captive portal profile, which i put the hostname and the /guest/landingpage.php  of the clearpass, i select my clearpass as primary server, i hit on mac authentication for the mac caching, and the accounting use the authenticated srver, then just click next next finish.

I was checking on the gateway group if something was missing i mean the mac authentication config but it seems there, it seems that it does that all automatically.
I also uploaded the cert to aruba central then assigned it to the gateway group on the captive portal certificate

I dont know what im missing, but i doubt is something on the clearpass, i think its something on the aruba central, gateway end.
The certificate on the clearpass is there, the 2 services for the mac authentication, also self registration page all is already done.

Any ideas what i could missing? when i see the access tracker i get something like this

Policy server	Failed to construct filter=SELECT CASE WHEN expire_time is null or expire_time > now() THEN 'false' ELSE 'true' END AS is_expired, CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')). Failed to get value for attributes=[AccountEnabled, AccountExpired]
RADIUS	[Endpoints Repository] - localhost: User not found. Applied 'Reject' profile

It seems like tips roles its never equal to [Guest]  (i used the mac caching template to build it)

But like i said i have a lab that works fine with instant and aruba os8 with the same rules on the clearpass but does not work with the aruba os10 on tunnel mode with aruba central and the gateway

Hello Herman, thank you for your time in replying my tread
Here are the asnwers:
1-Does the request in ClearPass map to the correct (expected) service
I bealive so, its mapping the first one because its trying to mac authenticate

2-Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
it was already on allow all mac auth

I will show you what i see on the access tracker




I will show you the config i have

Services:

Now i will show you whats inside mac authentication service






Now  i will show you the next service which is user authentication with mac caching






Anything elase you need Herman?
Original Message:
Sent: Dec 14, 2022 08:19 AM
From: Herman Robers
Subject: configuring mac caching

Does the request in ClearPass map to the correct (expected) service?
Can you share the other output of Access Tracker?
Can you share the configured service?
Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
What other Authorization Sources have you added in addition to Endpoints Repository?

The Policy server 'Failed to construct' messages (everything in the box) would be expected for an unknown client (no entry in the Endpoint Database yet) and if you include the Guest User Database as authorization source.

There is quite some information to analyze, and I could imagine that you prefer to discuss the detailed configuration with your Aruba Partner or Aruba Support, but with the information above it may be possible to find out what needs to be done.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 14, 2022 12:35 AM
From: Carlos De La Rosa
Subject: configuring mac caching

Hello
It is possible to configure mac caching on this scenario:

1 gateway managed by aruba central with Aruba OS 10  on tunnel mode
Im trying to do it but with no luck.  i got the same scenario but instead of using gateway and central *i just use and instant with OS8 and it works just fine.

I also tried configuing mac caching with cloud authentication and hte Tac told me that on tunnel mode it was not possible, and i had to do it on bridge mode. On bridge mode worked.   He told me that it should work with clearpass on tunnel mode but im unable to do it

Anyways the configuration is the fallowing
I have  a group of APS
And another group for the gateway
I go to the group of APs i add the SSID of the guest network i add the guest vlan i hit and put tunnel mode and i select the cluster, on security i slide to visitors, i click to external captive portal, i seclect the captive portal profile, which i put the hostname and the /guest/landingpage.php  of the clearpass, i select my clearpass as primary server, i hit on mac authentication for the mac caching, and the accounting use the authenticated srver, then just click next next finish.

I was checking on the gateway group if something was missing i mean the mac authentication config but it seems there, it seems that it does that all automatically.
I also uploaded the cert to aruba central then assigned it to the gateway group on the captive portal certificate

I dont know what im missing, but i doubt is something on the clearpass, i think its something on the aruba central, gateway end.
The certificate on the clearpass is there, the 2 services for the mac authentication, also self registration page all is already done.

Any ideas what i could missing? when i see the access tracker i get something like this

Policy server	Failed to construct filter=SELECT CASE WHEN expire_time is null or expire_time > now() THEN 'false' ELSE 'true' END AS is_expired, CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')). Failed to get value for attributes=[AccountEnabled, AccountExpired]
RADIUS	[Endpoints Repository] - localhost: User not found. Applied 'Reject' profile

It seems like tips roles its never equal to [Guest]  (i used the mac caching template to build it)

But like i said i have a lab that works fine with instant and aruba os8 with the same rules on the clearpass but does not work with the aruba os10 on tunnel mode with aruba central and the gateway

the mac caching service uses the "Guest MAC Caching (Post_Authentication)" enforcement profile that updates endpoint db with
username/roleid/mac-auth-expiry after which the user reauth

it looks like that is not happening for some reason.
check the Identity->endpoints for this mac address and check the attributes tab, you should see something like this.



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Dec 14, 2022 11:18 AM
From: Carlos De La Rosa
Subject: configuring mac caching

Hello Herman, thank you for your time in replying my tread
Here are the asnwers:
1-Does the request in ClearPass map to the correct (expected) service
I bealive so, its mapping the first one because its trying to mac authenticate

2-Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
it was already on allow all mac auth

I will show you what i see on the access tracker




I will show you the config i have

Services:

Now i will show you whats inside mac authentication service






Now  i will show you the next service which is user authentication with mac caching






Anything elase you need Herman?
Original Message:
Sent: Dec 14, 2022 08:19 AM
From: Herman Robers
Subject: configuring mac caching

Does the request in ClearPass map to the correct (expected) service?
Can you share the other output of Access Tracker?
Can you share the configured service?
Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
What other Authorization Sources have you added in addition to Endpoints Repository?

The Policy server 'Failed to construct' messages (everything in the box) would be expected for an unknown client (no entry in the Endpoint Database yet) and if you include the Guest User Database as authorization source.

There is quite some information to analyze, and I could imagine that you prefer to discuss the detailed configuration with your Aruba Partner or Aruba Support, but with the information above it may be possible to find out what needs to be done.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 14, 2022 12:35 AM
From: Carlos De La Rosa
Subject: configuring mac caching

Hello
It is possible to configure mac caching on this scenario:

1 gateway managed by aruba central with Aruba OS 10  on tunnel mode
Im trying to do it but with no luck.  i got the same scenario but instead of using gateway and central *i just use and instant with OS8 and it works just fine.

I also tried configuing mac caching with cloud authentication and hte Tac told me that on tunnel mode it was not possible, and i had to do it on bridge mode. On bridge mode worked.   He told me that it should work with clearpass on tunnel mode but im unable to do it

Anyways the configuration is the fallowing
I have  a group of APS
And another group for the gateway
I go to the group of APs i add the SSID of the guest network i add the guest vlan i hit and put tunnel mode and i select the cluster, on security i slide to visitors, i click to external captive portal, i seclect the captive portal profile, which i put the hostname and the /guest/landingpage.php  of the clearpass, i select my clearpass as primary server, i hit on mac authentication for the mac caching, and the accounting use the authenticated srver, then just click next next finish.

I was checking on the gateway group if something was missing i mean the mac authentication config but it seems there, it seems that it does that all automatically.
I also uploaded the cert to aruba central then assigned it to the gateway group on the captive portal certificate

I dont know what im missing, but i doubt is something on the clearpass, i think its something on the aruba central, gateway end.
The certificate on the clearpass is there, the 2 services for the mac authentication, also self registration page all is already done.

Any ideas what i could missing? when i see the access tracker i get something like this

Policy server	Failed to construct filter=SELECT CASE WHEN expire_time is null or expire_time > now() THEN 'false' ELSE 'true' END AS is_expired, CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')). Failed to get value for attributes=[AccountEnabled, AccountExpired]
RADIUS	[Endpoints Repository] - localhost: User not found. Applied 'Reject' profile

It seems like tips roles its never equal to [Guest]  (i used the mac caching template to build it)

But like i said i have a lab that works fine with instant and aruba os8 with the same rules on the clearpass but does not work with the aruba os10 on tunnel mode with aruba central and the gateway

I know it should be like that but its in blank, it just really odd.
Has anyone configured this scenario but with Aruba OS 10 on tunnel mode with clearpass succesfully? with mac caching? i actually want to know if this is possible because mac caching is not possible for aruba central with their cloud authentication, its just possible on bridfe mode.

I wonder if its something silly im missing.

I will try to configure this on bridge mode tomorrow to see if it works.
Original Message:
Sent: Dec 14, 2022 04:40 PM
From: Ariya Parsamanesh
Subject: configuring mac caching

the mac caching service uses the "Guest MAC Caching (Post_Authentication)" enforcement profile that updates endpoint db with
username/roleid/mac-auth-expiry after which the user reauth

it looks like that is not happening for some reason.
check the Identity->endpoints for this mac address and check the attributes tab, you should see something like this.



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Dec 14, 2022 11:18 AM
From: Carlos De La Rosa
Subject: configuring mac caching

Hello Herman, thank you for your time in replying my tread
Here are the asnwers:
1-Does the request in ClearPass map to the correct (expected) service
I bealive so, its mapping the first one because its trying to mac authenticate

2-Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
it was already on allow all mac auth

I will show you what i see on the access tracker




I will show you the config i have

Services:

Now i will show you whats inside mac authentication service






Now  i will show you the next service which is user authentication with mac caching






Anything elase you need Herman?
Original Message:
Sent: Dec 14, 2022 08:19 AM
From: Herman Robers
Subject: configuring mac caching

Does the request in ClearPass map to the correct (expected) service?
Can you share the other output of Access Tracker?
Can you share the configured service?
Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
What other Authorization Sources have you added in addition to Endpoints Repository?

The Policy server 'Failed to construct' messages (everything in the box) would be expected for an unknown client (no entry in the Endpoint Database yet) and if you include the Guest User Database as authorization source.

There is quite some information to analyze, and I could imagine that you prefer to discuss the detailed configuration with your Aruba Partner or Aruba Support, but with the information above it may be possible to find out what needs to be done.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 14, 2022 12:35 AM
From: Carlos De La Rosa
Subject: configuring mac caching

Hello
It is possible to configure mac caching on this scenario:

1 gateway managed by aruba central with Aruba OS 10  on tunnel mode
Im trying to do it but with no luck.  i got the same scenario but instead of using gateway and central *i just use and instant with OS8 and it works just fine.

I also tried configuing mac caching with cloud authentication and hte Tac told me that on tunnel mode it was not possible, and i had to do it on bridge mode. On bridge mode worked.   He told me that it should work with clearpass on tunnel mode but im unable to do it

Anyways the configuration is the fallowing
I have  a group of APS
And another group for the gateway
I go to the group of APs i add the SSID of the guest network i add the guest vlan i hit and put tunnel mode and i select the cluster, on security i slide to visitors, i click to external captive portal, i seclect the captive portal profile, which i put the hostname and the /guest/landingpage.php  of the clearpass, i select my clearpass as primary server, i hit on mac authentication for the mac caching, and the accounting use the authenticated srver, then just click next next finish.

I was checking on the gateway group if something was missing i mean the mac authentication config but it seems there, it seems that it does that all automatically.
I also uploaded the cert to aruba central then assigned it to the gateway group on the captive portal certificate

I dont know what im missing, but i doubt is something on the clearpass, i think its something on the aruba central, gateway end.
The certificate on the clearpass is there, the 2 services for the mac authentication, also self registration page all is already done.

Any ideas what i could missing? when i see the access tracker i get something like this

Policy server	Failed to construct filter=SELECT CASE WHEN expire_time is null or expire_time > now() THEN 'false' ELSE 'true' END AS is_expired, CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')). Failed to get value for attributes=[AccountEnabled, AccountExpired]
RADIUS	[Endpoints Repository] - localhost: User not found. Applied 'Reject' profile

It seems like tips roles its never equal to [Guest]  (i used the mac caching template to build it)

But like i said i have a lab that works fine with instant and aruba os8 with the same rules on the clearpass but does not work with the aruba os10 on tunnel mode with aruba central and the gateway

ok walk me through the workflow, does the client redirects to the captive portal on ClearPass and then logins?
if thats the case, that login should start a RADIUS request and match with the mac caching service on CPPM.
if thats the case please paste the access tracker output for that.
It is that service and specifically "Guest MAC Caching (Post_Authentication)" enforcement profile that writes the attributes to the endpoint mac address in the db.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Dec 14, 2022 10:30 PM
From: Carlos De La Rosa
Subject: configuring mac caching

I know it should be like that but its in blank, it just really odd.
Has anyone configured this scenario but with Aruba OS 10 on tunnel mode with clearpass succesfully? with mac caching? i actually want to know if this is possible because mac caching is not possible for aruba central with their cloud authentication, its just possible on bridfe mode.

I wonder if its something silly im missing.

I will try to configure this on bridge mode tomorrow to see if it works.
Original Message:
Sent: Dec 14, 2022 04:40 PM
From: Ariya Parsamanesh
Subject: configuring mac caching

the mac caching service uses the "Guest MAC Caching (Post_Authentication)" enforcement profile that updates endpoint db with
username/roleid/mac-auth-expiry after which the user reauth

it looks like that is not happening for some reason.
check the Identity->endpoints for this mac address and check the attributes tab, you should see something like this.



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Dec 14, 2022 11:18 AM
From: Carlos De La Rosa
Subject: configuring mac caching

Hello Herman, thank you for your time in replying my tread
Here are the asnwers:
1-Does the request in ClearPass map to the correct (expected) service
I bealive so, its mapping the first one because its trying to mac authenticate

2-Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
it was already on allow all mac auth

I will show you what i see on the access tracker




I will show you the config i have

Services:

Now i will show you whats inside mac authentication service






Now  i will show you the next service which is user authentication with mac caching






Anything elase you need Herman?
Original Message:
Sent: Dec 14, 2022 08:19 AM
From: Herman Robers
Subject: configuring mac caching

Does the request in ClearPass map to the correct (expected) service?
Can you share the other output of Access Tracker?
Can you share the configured service?
Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
What other Authorization Sources have you added in addition to Endpoints Repository?

The Policy server 'Failed to construct' messages (everything in the box) would be expected for an unknown client (no entry in the Endpoint Database yet) and if you include the Guest User Database as authorization source.

There is quite some information to analyze, and I could imagine that you prefer to discuss the detailed configuration with your Aruba Partner or Aruba Support, but with the information above it may be possible to find out what needs to be done.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 14, 2022 12:35 AM
From: Carlos De La Rosa
Subject: configuring mac caching

Hello
It is possible to configure mac caching on this scenario:

1 gateway managed by aruba central with Aruba OS 10  on tunnel mode
Im trying to do it but with no luck.  i got the same scenario but instead of using gateway and central *i just use and instant with OS8 and it works just fine.

I also tried configuing mac caching with cloud authentication and hte Tac told me that on tunnel mode it was not possible, and i had to do it on bridge mode. On bridge mode worked.   He told me that it should work with clearpass on tunnel mode but im unable to do it

Anyways the configuration is the fallowing
I have  a group of APS
And another group for the gateway
I go to the group of APs i add the SSID of the guest network i add the guest vlan i hit and put tunnel mode and i select the cluster, on security i slide to visitors, i click to external captive portal, i seclect the captive portal profile, which i put the hostname and the /guest/landingpage.php  of the clearpass, i select my clearpass as primary server, i hit on mac authentication for the mac caching, and the accounting use the authenticated srver, then just click next next finish.

I was checking on the gateway group if something was missing i mean the mac authentication config but it seems there, it seems that it does that all automatically.
I also uploaded the cert to aruba central then assigned it to the gateway group on the captive portal certificate

I dont know what im missing, but i doubt is something on the clearpass, i think its something on the aruba central, gateway end.
The certificate on the clearpass is there, the 2 services for the mac authentication, also self registration page all is already done.

Any ideas what i could missing? when i see the access tracker i get something like this

Policy server	Failed to construct filter=SELECT CASE WHEN expire_time is null or expire_time > now() THEN 'false' ELSE 'true' END AS is_expired, CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')). Failed to get value for attributes=[AccountEnabled, AccountExpired]
RADIUS	[Endpoints Repository] - localhost: User not found. Applied 'Reject' profile

It seems like tips roles its never equal to [Guest]  (i used the mac caching template to build it)

But like i said i have a lab that works fine with instant and aruba os8 with the same rules on the clearpass but does not work with the aruba os10 on tunnel mode with aruba central and the gateway

Ok, from this I can make up the following:
- User connects to the network with a device that has not been authenticated as guest
- The xxxx MAC Caching service matches [good]
- As a result, there should be no MAC Caching for this device
- Because none of the role mappings matched (no guest entries in the Endpoint), just the [User Authenticated] (default) and [Other] (default for the role mapping if none other matches) are assigned (see Access Tracker Summary tab)
- That means no enforcement rule is triggered either, because both rules require at least one other role ([Guest]/[Contractor]/[Employee]); thus the default enforcement [Deny All] is returned, which means a Radius Accept-Reject.

How equipment responds to that is different, and I think that is where the issue lies. AP with a Captive Portal profile will 'jump' in the redirect mode, but if you have a gateway that automatic role is probably not available on the gateway resulting in a default role or rejected traffic at the gateway.

What may work is to create a manual gateway role (that does the redirect but excepts traffic to ClearPass) and return that instead of sending a Deny Access. Where I would create an enforcement rule at the bottom that does Role = [User Authenticated] -> Return Guest Captive Portal Role (which has the name of the gateway role that handles the captive portal). You could ask assistance from Aruba Support as it may be somewhat hard to do for the first time.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 14, 2022 11:18 AM
From: Carlos De La Rosa
Subject: configuring mac caching

Hello Herman, thank you for your time in replying my tread
Here are the asnwers:
1-Does the request in ClearPass map to the correct (expected) service
I bealive so, its mapping the first one because its trying to mac authenticate

2-Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
it was already on allow all mac auth

I will show you what i see on the access tracker




I will show you the config i have

Services:

Now i will show you whats inside mac authentication service






Now  i will show you the next service which is user authentication with mac caching






Anything elase you need Herman?
Original Message:
Sent: Dec 14, 2022 08:19 AM
From: Herman Robers
Subject: configuring mac caching

Does the request in ClearPass map to the correct (expected) service?
Can you share the other output of Access Tracker?
Can you share the configured service?
Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
What other Authorization Sources have you added in addition to Endpoints Repository?

The Policy server 'Failed to construct' messages (everything in the box) would be expected for an unknown client (no entry in the Endpoint Database yet) and if you include the Guest User Database as authorization source.

There is quite some information to analyze, and I could imagine that you prefer to discuss the detailed configuration with your Aruba Partner or Aruba Support, but with the information above it may be possible to find out what needs to be done.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 14, 2022 12:35 AM
From: Carlos De La Rosa
Subject: configuring mac caching

Hello
It is possible to configure mac caching on this scenario:

1 gateway managed by aruba central with Aruba OS 10  on tunnel mode
Im trying to do it but with no luck.  i got the same scenario but instead of using gateway and central *i just use and instant with OS8 and it works just fine.

I also tried configuing mac caching with cloud authentication and hte Tac told me that on tunnel mode it was not possible, and i had to do it on bridge mode. On bridge mode worked.   He told me that it should work with clearpass on tunnel mode but im unable to do it

Anyways the configuration is the fallowing
I have  a group of APS
And another group for the gateway
I go to the group of APs i add the SSID of the guest network i add the guest vlan i hit and put tunnel mode and i select the cluster, on security i slide to visitors, i click to external captive portal, i seclect the captive portal profile, which i put the hostname and the /guest/landingpage.php  of the clearpass, i select my clearpass as primary server, i hit on mac authentication for the mac caching, and the accounting use the authenticated srver, then just click next next finish.

I was checking on the gateway group if something was missing i mean the mac authentication config but it seems there, it seems that it does that all automatically.
I also uploaded the cert to aruba central then assigned it to the gateway group on the captive portal certificate

I dont know what im missing, but i doubt is something on the clearpass, i think its something on the aruba central, gateway end.
The certificate on the clearpass is there, the 2 services for the mac authentication, also self registration page all is already done.

Any ideas what i could missing? when i see the access tracker i get something like this

Policy server	Failed to construct filter=SELECT CASE WHEN expire_time is null or expire_time > now() THEN 'false' ELSE 'true' END AS is_expired, CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')). Failed to get value for attributes=[AccountEnabled, AccountExpired]
RADIUS	[Endpoints Repository] - localhost: User not found. Applied 'Reject' profile

It seems like tips roles its never equal to [Guest]  (i used the mac caching template to build it)

But like i said i have a lab that works fine with instant and aruba os8 with the same rules on the clearpass but does not work with the aruba os10 on tunnel mode with aruba central and the gateway

Hello Herman
I configured this on bridge mode and worked, at least on a test vlan we have for the client, but that same vlan didnt work either for the tunnel mode.

I ll see if i get time to configure it on tunnel mode too but for now in bridge mode is working like a charm.
Original Message:
Sent: Dec 15, 2022 04:30 AM
From: Herman Robers
Subject: configuring mac caching

Ok, from this I can make up the following:
- User connects to the network with a device that has not been authenticated as guest
- The xxxx MAC Caching service matches [good]
- As a result, there should be no MAC Caching for this device
- Because none of the role mappings matched (no guest entries in the Endpoint), just the [User Authenticated] (default) and [Other] (default for the role mapping if none other matches) are assigned (see Access Tracker Summary tab)
- That means no enforcement rule is triggered either, because both rules require at least one other role ([Guest]/[Contractor]/[Employee]); thus the default enforcement [Deny All] is returned, which means a Radius Accept-Reject.

How equipment responds to that is different, and I think that is where the issue lies. AP with a Captive Portal profile will 'jump' in the redirect mode, but if you have a gateway that automatic role is probably not available on the gateway resulting in a default role or rejected traffic at the gateway.

What may work is to create a manual gateway role (that does the redirect but excepts traffic to ClearPass) and return that instead of sending a Deny Access. Where I would create an enforcement rule at the bottom that does Role = [User Authenticated] -> Return Guest Captive Portal Role (which has the name of the gateway role that handles the captive portal). You could ask assistance from Aruba Support as it may be somewhat hard to do for the first time.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 14, 2022 11:18 AM
From: Carlos De La Rosa
Subject: configuring mac caching

Hello Herman, thank you for your time in replying my tread
Here are the asnwers:
1-Does the request in ClearPass map to the correct (expected) service
I bealive so, its mapping the first one because its trying to mac authenticate

2-Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
it was already on allow all mac auth

I will show you what i see on the access tracker




I will show you the config i have

Services:

Now i will show you whats inside mac authentication service






Now  i will show you the next service which is user authentication with mac caching






Anything elase you need Herman?
Original Message:
Sent: Dec 14, 2022 08:19 AM
From: Herman Robers
Subject: configuring mac caching

Does the request in ClearPass map to the correct (expected) service?
Can you share the other output of Access Tracker?
Can you share the configured service?
Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
What other Authorization Sources have you added in addition to Endpoints Repository?

The Policy server 'Failed to construct' messages (everything in the box) would be expected for an unknown client (no entry in the Endpoint Database yet) and if you include the Guest User Database as authorization source.

There is quite some information to analyze, and I could imagine that you prefer to discuss the detailed configuration with your Aruba Partner or Aruba Support, but with the information above it may be possible to find out what needs to be done.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 14, 2022 12:35 AM
From: Carlos De La Rosa
Subject: configuring mac caching

Hello
It is possible to configure mac caching on this scenario:

1 gateway managed by aruba central with Aruba OS 10  on tunnel mode
Im trying to do it but with no luck.  i got the same scenario but instead of using gateway and central *i just use and instant with OS8 and it works just fine.

I also tried configuing mac caching with cloud authentication and hte Tac told me that on tunnel mode it was not possible, and i had to do it on bridge mode. On bridge mode worked.   He told me that it should work with clearpass on tunnel mode but im unable to do it

Anyways the configuration is the fallowing
I have  a group of APS
And another group for the gateway
I go to the group of APs i add the SSID of the guest network i add the guest vlan i hit and put tunnel mode and i select the cluster, on security i slide to visitors, i click to external captive portal, i seclect the captive portal profile, which i put the hostname and the /guest/landingpage.php  of the clearpass, i select my clearpass as primary server, i hit on mac authentication for the mac caching, and the accounting use the authenticated srver, then just click next next finish.

I was checking on the gateway group if something was missing i mean the mac authentication config but it seems there, it seems that it does that all automatically.
I also uploaded the cert to aruba central then assigned it to the gateway group on the captive portal certificate

I dont know what im missing, but i doubt is something on the clearpass, i think its something on the aruba central, gateway end.
The certificate on the clearpass is there, the 2 services for the mac authentication, also self registration page all is already done.

Any ideas what i could missing? when i see the access tracker i get something like this

Policy server	Failed to construct filter=SELECT CASE WHEN expire_time is null or expire_time > now() THEN 'false' ELSE 'true' END AS is_expired, CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')). Failed to get value for attributes=[AccountEnabled, AccountExpired]
RADIUS	[Endpoints Repository] - localhost: User not found. Applied 'Reject' profile

It seems like tips roles its never equal to [Guest]  (i used the mac caching template to build it)

But like i said i have a lab that works fine with instant and aruba os8 with the same rules on the clearpass but does not work with the aruba os10 on tunnel mode with aruba central and the gateway