Original Message:
Sent: Jul 31, 2024 04:26 AM
From: mathias_gt
Subject: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec
Hello Herman,
Thanks for the instructive video. I've opened the case number 5383777682.
Regards,
Mathias
Original Message:
Sent: Jul 31, 2024 03:31 AM
From: Herman Robers
Subject: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec
Here is a video on CX + ClearPass and Host MACsec. It includes some packet captures, so may help to further analyze or compare the difference from what you see.
To be honest, host MACsec is not widely deployed; mainly because of lack of a built-in supplicant for the mainstream operating systems Windows and MacOS. If you feel ClearPass is not following the standards and causing an issue, please open a TAC case.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 31, 2024 03:04 AM
From: mathias_gt
Subject: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec
I just tested with ClearPass 6.11.9, same issue :(
No, I'm not using a CX switch, I'm using an Alcatel-Lucent Enterprise OmniSwitch 6860N-P24M
Here is the flow with ISE:
Original Message:
Sent: Jul 30, 2024 11:22 PM
From: Ariya Parsamanesh
Subject: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec
I am not sure but I recommend using 6.11.9 as it is the recommended version for the new sec advisory that was published.
just test it with that version and let us know. BTW is that a CX switch?
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Jul 30, 2024 11:10 PM
From: mathias_gt
Subject: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec
Hello Ariyap,
Thanks for your answer, but during my testing ClearPass did not send the EAP-Key-Name.
Access-Request with EAP-Key-Name:
Access-Accept answering this Access-Request:
I'm using ClearPass 6.11.6, any specific version that will support that?
Thanks and regards,
Mathias
Original Message:
Sent: Jul 30, 2024 10:21 PM
From: ariyap
Subject: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec
No need to specify that in an enforcement profile.
ClearPass automatically include EAP-Key-Name with value in Access-Accept for MACSec request. That will contains EAP-Key-Name in Access-Request.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Jul 29, 2024 10:34 AM
From: mathias_gt
Subject: Define EAP-Key-Name in ClearPass Enforcement Profiles for dynamic MACsec
Hello,
I'm looking to implement dynamic MACsec based on a key distributed by ClearPass. To do this, I need to send back the attribute "EAP-Key-Name". I see that this attribute can be defined in an Enforcement Profile:
However, I'm unable to find how to set EAP-Key-Name equal to the EAP-Session-ID. Any help with that would be very useful :)
Thanks in advance,
Mathias