Cloud Managed Networks

 View Only
last person joined: yesterday 

Forum to discuss all things Aruba Central and UXI Network Management, this includes Aruba Central managed networks, Central configuration, best practices, Central APIs, Cloud Guest, AIOps, Presence Analytics and Other Central Applications
Expand all | Collapse all

configuring mac caching

This thread has been viewed 36 times
  • 1.  configuring mac caching

    Posted Dec 14, 2022 12:35 AM
    Hello
    It is possible to configure mac caching on this scenario:

    1 gateway managed by aruba central with Aruba OS 10  on tunnel mode
    Im trying to do it but with no luck.  i got the same scenario but instead of using gateway and central *i just use and instant with OS8 and it works just fine.

    I also tried configuing mac caching with cloud authentication and hte Tac told me that on tunnel mode it was not possible, and i had to do it on bridge mode. On bridge mode worked.   He told me that it should work with clearpass on tunnel mode but im unable to do it

    Anyways the configuration is the fallowing
    I have  a group of APS
    And another group for the gateway
    I go to the group of APs i add the SSID of the guest network i add the guest vlan i hit and put tunnel mode and i select the cluster, on security i slide to visitors, i click to external captive portal, i seclect the captive portal profile, which i put the hostname and the /guest/landingpage.php  of the clearpass, i select my clearpass as primary server, i hit on mac authentication for the mac caching, and the accounting use the authenticated srver, then just click next next finish.

    I was checking on the gateway group if something was missing i mean the mac authentication config but it seems there, it seems that it does that all automatically.
    I also uploaded the cert to aruba central then assigned it to the gateway group on the captive portal certificate

    I dont know what im missing, but i doubt is something on the clearpass, i think its something on the aruba central, gateway end.
    The certificate on the clearpass is there, the 2 services for the mac authentication, also self registration page all is already done.

    Any ideas what i could missing? when i see the access tracker i get something like this


    Policy server Failed to construct filter=SELECT
    CASE WHEN expire_time is null or expire_time > now() THEN 'false'
    ELSE 'true'
    END AS is_expired,
    CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled
    FROM tips_guest_users
    WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')).
    Failed to get value for attributes=[AccountEnabled, AccountExpired]
    RADIUS [Endpoints Repository] - localhost: User not found.
    Applied 'Reject' profile
    It seems like tips roles its never equal to [Guest]  (i used the mac caching template to build it)

    But like i said i have a lab that works fine with instant and aruba os8 with the same rules on the clearpass but does not work with the aruba os10 on tunnel mode with aruba central and the gateway


  • 2.  RE: configuring mac caching

    EMPLOYEE
    Posted Dec 14, 2022 08:20 AM
    Does the request in ClearPass map to the correct (expected) service?
    Can you share the other output of Access Tracker?
    Can you share the configured service?
    Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
    What other Authorization Sources have you added in addition to Endpoints Repository?

    The Policy server 'Failed to construct' messages (everything in the box) would be expected for an unknown client (no entry in the Endpoint Database yet) and if you include the Guest User Database as authorization source.

    There is quite some information to analyze, and I could imagine that you prefer to discuss the detailed configuration with your Aruba Partner or Aruba Support, but with the information above it may be possible to find out what needs to be done.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: configuring mac caching

    Posted Dec 14, 2022 11:19 AM
    Hello Herman, thank you for your time in replying my tread
    Here are the asnwers:
    1-Does the request in ClearPass map to the correct (expected) service
    I bealive so, its mapping the first one because its trying to mac authenticate

    2-Can you change the [MAC Auth] Authentication Method to [Allow All MAC Auth]?
    it was already on allow all mac auth

    I will show you what i see on the access tracker




    I will show you the config i have

    Services:

    Now i will show you whats inside mac authentication service






    Now  i will show you the next service which is user authentication with mac caching






    Anything elase you need Herman?


  • 4.  RE: configuring mac caching

    EMPLOYEE
    Posted Dec 14, 2022 04:40 PM
    the mac caching service uses the "Guest MAC Caching (Post_Authentication)" enforcement profile that updates endpoint db with
    username/roleid/mac-auth-expiry after which the user reauth

    it looks like that is not happening for some reason.
    check the Identity->endpoints for this mac address and check the attributes tab, you should see something like this.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: configuring mac caching

    Posted Dec 14, 2022 10:31 PM
    I know it should be like that but its in blank, it just really odd.
    Has anyone configured this scenario but with Aruba OS 10 on tunnel mode with clearpass succesfully? with mac caching? i actually want to know if this is possible because mac caching is not possible for aruba central with their cloud authentication, its just possible on bridfe mode.

    I wonder if its something silly im missing.

    I will try to configure this on bridge mode tomorrow to see if it works.


  • 6.  RE: configuring mac caching

    EMPLOYEE
    Posted Dec 15, 2022 01:42 AM
    ok walk me through the workflow, does the client redirects to the captive portal on ClearPass and then logins?
    if thats the case, that login should start a RADIUS request and match with the mac caching service on CPPM.
    if thats the case please paste the access tracker output for that.
    It is that service and specifically "Guest MAC Caching (Post_Authentication)" enforcement profile that writes the attributes to the endpoint mac address in the db.

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 7.  RE: configuring mac caching

    EMPLOYEE
    Posted Dec 15, 2022 04:31 AM
    Ok, from this I can make up the following:
    - User connects to the network with a device that has not been authenticated as guest
    - The xxxx MAC Caching service matches [good]
    - As a result, there should be no MAC Caching for this device
    - Because none of the role mappings matched (no guest entries in the Endpoint), just the [User Authenticated] (default) and [Other] (default for the role mapping if none other matches) are assigned (see Access Tracker Summary tab)
    - That means no enforcement rule is triggered either, because both rules require at least one other role ([Guest]/[Contractor]/[Employee]); thus the default enforcement [Deny All] is returned, which means a Radius Accept-Reject.

    How equipment responds to that is different, and I think that is where the issue lies. AP with a Captive Portal profile will 'jump' in the redirect mode, but if you have a gateway that automatic role is probably not available on the gateway resulting in a default role or rejected traffic at the gateway.

    What may work is to create a manual gateway role (that does the redirect but excepts traffic to ClearPass) and return that instead of sending a Deny Access. Where I would create an enforcement rule at the bottom that does Role = [User Authenticated] -> Return Guest Captive Portal Role (which has the name of the gateway role that handles the captive portal). You could ask assistance from Aruba Support as it may be somewhat hard to do for the first time.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: configuring mac caching

    Posted Dec 15, 2022 11:09 AM
    Hello Herman
    I configured this on bridge mode and worked, at least on a test vlan we have for the client, but that same vlan didnt work either for the tunnel mode.

    I ll see if i get time to configure it on tunnel mode too but for now in bridge mode is working like a charm.