Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Enabling Clearpass on an Uplink Port

This thread has been viewed 71 times
  • 1.  Enabling Clearpass on an Uplink Port

    Posted Jan 19, 2023 04:50 PM
    I have a strange predicament that I can't find any information about online. I'd like to enable ClearPass on an uplink port from my main switch to my second switch. The second switch will also be running clearpass to authenticate any devices plugged in. The reason I'd like to accomplish this is because the second switch will be moving around and could be plugged into any ethernet port with clearpass enabled.

    When I tested this and enabled clearpass on the uplink port, I noticed that clearpass on the second switch did not work properly. Clearpass would send the second switch the correct vlan to assign to a device, but the second switch would not change the vlan for that specified port. So, the device is being authenticated successfully, but switch 2 will not change the vlan once Clearpass tells it to.

    Does anybody have any experience with this at all or could provide some additional information to help me out?


  • 2.  RE: Enabling Clearpass on an Uplink Port

    EMPLOYEE
    Posted Jan 20, 2023 08:22 AM
    Are you able to help us understand what switch models are in use here? 

    The way I read your query I think both switches support port authentication. Is that correct?

    If this is the case, I would suggest you do not enable authentication on the uplink port between the two switches. Just enable it on edge ports where client devices connect. 

    Do you have all the VLANs that may be assigned configured on the second switch? They must be configured if you are going to dynamically assign them to ports. You should see something about this in the switch log if this is the case. Is there anything useful in the switch log to determine what is going wrong?


  • 3.  RE: Enabling Clearpass on an Uplink Port

    Posted Jan 20, 2023 09:45 AM
    Hi ProbeRequest, thank you for your reply,

    The two switch models are an Aruba 2930F and Aruba 2530. The main reason I cannot disable authentication on the uplink ports is because the second switch (2530) will be moving around and could be plugged into any other ethernet port in our organization that has clearpass enabled. 

    All the VLANs are configured correctly on the second switch (2530). I checked the switch logs, and I don't see anything in the log when clearpass sends the command to change the VLAN.


  • 4.  RE: Enabling Clearpass on an Uplink Port

    Posted Jan 20, 2023 10:01 AM
    Hi

    As I understand your case you have a need to temporary give more ports to a location with the 2530. Devices connected to this switch will be placed on more than one VLAN. So the port must be configured as a trunk both on the 2930F and the 2530.
    This can be done by Radius attributes or a Downloadable User Role to the 2930F. You also need to enable the port-mode on the port when connecting the 2530. Otherwise the 2930F will authenticate all devices one more time.

    On the 2530 side I would configure one port as the uplink port, without any authentication, with correct settings as a trunk with all the VLAN I need.


    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Enabling Clearpass on an Uplink Port

    Posted Jan 20, 2023 10:50 AM
    Hi Jonas,

    Thank you for your reply. The main problem I have with this setup is that the 2530 switch will not always be plugged into the same port on the 2930. Therefore, I cannot configure a trunk on a specific port on the 2930 switch. Ideally, I want to be able to plug in the 2530 switch's uplink port to any switch in my organization with clearpass enabled. I'm not sure if this is possible or not so that is my main question.

    There are only 2 VLANS on the 2530 switch, 1 Default and 5 Voice. Almost all of our switches have the default vlan untagged and the voice vlan tagged. I'd like to use clearpass on the 2530 switch to authenticate the devices being plugged in, but the 2530 switch will get connected to a standard ethernet port to another random switch that will have clearpass enabled. I know typcially you would have clearpass disabled on the uplink port, but in my case, I'm wondering if there is a way I can have it enabled on the random switch and then disabled on my 2530 uplink port.


  • 6.  RE: Enabling Clearpass on an Uplink Port

    Posted Jan 20, 2023 12:15 PM
    Hi milesv,

    you have to enable suplicant on the uplinkport of the 2530 switch ("aaa port-access supplicant" ...). The 2530 will then perform EAP-MD5 authentication on the port of the Aruba 2930F - provided that authenticator is enabled on this port of the 2930F. In the CPPM you can recognize this authentication attempt by the credentials used. You have to create the corresponding enforcement with VLAN tagging for this authentication. In the same enforcement you have to switch the authentication from Aruba 2930F to port mode.

    This should solve your problem.

    If you don't enable port mode, all endpoints from switch 2530 will have to authenticate 2 times. The first time on the access port of the switch 2530 and the second time on the port Aruba 2930F.


  • 7.  RE: Enabling Clearpass on an Uplink Port

    Posted Jan 20, 2023 01:24 PM
    Hi Lord,

    Thank you for your reply. I am a bit of a clearpass noob and I am trying to enable the supplicant port on my 2530 switch. I entered the following command (aaa port-access supplicant 26). Do I also need to specify a username and password for the radius server in order for this authentication to work properly? Currently in clearpass I see the request using a MAC-AUTH authentication method referring to an endpoint repository.

    Also, for the enforcement, do I need to create a new enforcement policy then and configure with VLAN tagging and switch the authentication for the 2930F to port mode?


  • 8.  RE: Enabling Clearpass on an Uplink Port

    Posted Jan 21, 2023 10:21 AM
    I'll try to explain a few basic things.

    The problem you are experiencing is called radius authentication with cascaded switch.
    You have a switch with port authentication enabled, to this switch you need to connect another switch that also does authentication. The problem has nothing directly to do with clearpass and would happen with any other authentication server.

    The ports over which the interswitch link is established require special configuration.
    scenario 1
    Authentication is disabled on the downlink port in the mainswitch.
    Authentication is deactivated on the uplink port in the second switch.
    scenario 2
    At the downlink port in the mainswitch autentification is activated, the port does dot1x autentification and is in port-based mode.
    Suplicant is enabled on the uplink port in the second switch.
    scenario 3
    At the downlink port in the mainswitch autentification is enabled, the port does mac-address autentification and is in port-based mode.
    At the uplink port in the second switch, autentification is deactivated.

    Port-based mode is important and means that the first authentication-request open the port, all authentication-requests arriving at this port after that are allowed through without authentication. This avoids double authentication on the access port of the second switch and on the downlink port in the mainswitch. This is not a security problem because the clients have already authenticated themselves on the second switch.

    You just have to make sure that the second-switch always logs in first. It works easy if you configure the uplink as suplicant. As soon as the uplink goes up, the sitch snds the configured username and password. With mac-auth you can happen that an auth-request from the endpoint arrives first at the main-switch. Then everything becomes a matter of luck.



    The uplink port in the second-switch must be configured accordingly. It may then only be connected via this port.

    The question is, how do you reconfigure the currently used downlink port in the mainswitch to port-based-based mode? You additionally have to reconfigure the previously used port back to user-based mode. You can do this manually, but it is not very practical.

    You can switch authentication mode to port-based mode with a VSA, this would only apply for the session duration, just like VLAN tagging. You can disable the unused authentication protocol by setting the client limit for this type to 0. As soon as the port goes down, it will fall back to the configured authentication mode.

    You don't have to send this VSA on every authentication, but only when the second-switch authenticates.

    So in your use-case you have to do the following:
    As you describe your use-case, scenario 1 is out of the question, you have to decide between scenario 2 and 3, depending on whether the main switch uses dot1.x, mac-auth or dot1.x with fallback to mac-auth. That means you configure the supplicant on the uplink in the second-switch at dot1.x and use any user that can authenticate against an auth-src in ClearPass. Or you do mac-auth and use the mac-address from the second-switch. For the switch authentication you have to create an appropriate enforcement profile in which you set the auth-mode to port-based mode and disable unused authentication.

    For example, this profile sets the port-mode for dot1.x authentication to port-based and disables mac-auth.



    If you tag VLANs dynamically you can use it in this profile as well. VLAN tagging is not directly related to authentication. You can enable port authentication and statically tag VLANs on all ports. But dynamic tagging makes your life easier.

    Good luck

    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    ------------------------------



  • 9.  RE: Enabling Clearpass on an Uplink Port

    Posted Jan 23, 2023 01:34 PM
    Hi Waldemar,

    Thank you for providing that in depth guide for me to follow. Currently I am working on getting the supplicant port setup on the 2530 switch. I have the requests hitting my clearpass server but now I receive an error when attempting to authenticate through EAP-PEAP.
    I do believe that my Aruba 2530 does support EAP-PEAP but for some reason ClearPass is rejecting it. In the logs I can see the radius server checking for the AD account, but once it finds that account it sends the Access-Challenge and then errors out.
    2023-01-23 12:19:50,416 ERROR RadiusServer.Radius - rlm_eap: Client doesn't support any method that we require. Rejecting client.​


    The 2530 switch should be setup correctly to authenticate with ClearPass, below is part of the config on the 2530 switch with the supplicant port.

    aaa authentication port-access eap-radius
    aaa port-access authenticator eap-id-compliance
    aaa port-access authenticator active
    aaa port-access supplicant 26
    aaa port-access supplicant 26 identity "CITY\testaccount"
    



  • 10.  RE: Enabling Clearpass on an Uplink Port

    Posted Jan 24, 2023 06:18 AM
    Hi milesv,

    the switch supplicant does eap-md5 authentication, you have to extend the service with the authentication method [EAP MD5].

    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 11.  RE: Enabling Clearpass on an Uplink Port

    Posted Dec 01, 2023 04:14 PM

    Hello Waldemar,

    Very sorry to dig up this old thread but I'm still facing issues with this. I have things working properly except when the 2530 switch authenticates itself. It authenticates the mac address just fine, however the user account I created for the supplicant port seems to authenticate every minute. The authentication is accepted, but the switch seems to keep submitting the request to clearpass anyway. Any idea what might be causing this?