And that works. If I use an FQDN when defining a radius service, the cert gets validated and things work. Can now see the DUR on the switch, the device gets an iop address and i can see RADIUS accounting packets .
This gets me back to the original question. I've configured the switch to forward device fingerprints to cpppm via radius accounting ... and. its not working. cppm thinks the device is a ageneric HP laptop instead of a windows device. Cant see anything on cppm radius accounting hinting tht its received the info
Original Message:
Sent: Jun 07, 2024 04:06 AM
From: alexs-nd
Subject: Detecting fingerprint data in CX usin g RADIUS Accounting
Many thanks for that, most informative. I notice you use an FQDN when specifying a radius server . On our 2930 estate we dont and just point the switch at. the cppm VIPs The cppm certs dont have an IP: SaN nor an FQDN associated with the cppm VIPS. Can tweak the config to test things out to see if its that I guess
A
Original Message:
Sent: Jun 06, 2024 08:09 PM
From: ariyap
Subject: Detecting fingerprint data in CX usin g RADIUS Accounting
you can refer to this 6x parts series on Aruba ClearPass Wired Enforcement for CX switches Part1 which covers LUR, DUR and more.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Jun 06, 2024 01:49 PM
From: alexs-nd
Subject: Detecting fingerprint data in CX usin g RADIUS Accounting
firmewware is 10.13.1010
Original Message:
Sent: Jun 06, 2024 01:45 PM
From: alexs-nd
Subject: Detecting fingerprint data in CX usin g RADIUS Accounting
nope guess not, the root CA is the same one I install on ArubaOS-S switches and thats the only one there ... and both arubaos-s and arubaos-cx are both talking to the same cppm server
switch time is correct as well
A
Original Message:
Sent: Jun 06, 2024 01:42 PM
From: alexs-nd
Subject: Detecting fingerprint data in CX usin g RADIUS Accounting
ok so sh port-access client detail
Tells me that its failed to download the DUR with an error of server certificate invalid
but if i do a sh crypto pki ta-profile clearpass I get the enterprise local root CA cert.
Should I also include the intermediate CA ?
A
Original Message:
Sent: Jun 06, 2024 01:34 PM
From: alexs-nd
Subject: Detecting fingerprint data in CX usin g RADIUS Accounting
Hi,
Most of my auth / DUR stuff has been on. ArubaOS-S/ Mobiltiy Controllers ... now dipping toe in for CX, so ... running. 10.13.x code ( whatever the latest is) ,have configured DUR usage and. am using RADIUS accounting to upload fingerprint data to cppm ...so got a few questions
1). sh port-access shows that i have an authentication. with a DUR applied
2). cppm shows both. dot1x and mac auth ( yes the switch is configured to do both to speed things up)
The DUR says
- Apply an allow all ACL
- Reauthenticate every hour
- switch port into client-mode
- Do not define any tagged/iuntagged vlans use the statically assigned one
For the client
The reauth isnt 1 hour but a few mins
The client isnt obtaining an IP address from the dhcp server even though its on the correct vlan
Whats the CX equivalent. of sh user-role download detail ?
How can i tell that the client fingerprint data has been uploaded via RADIJUS accounting?
Rgds
Alex