Security

 View Only
last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

How to debug which traffic is denied of authenticated device by user-roles policy?

This thread has been viewed 17 times
  • 1.  How to debug which traffic is denied of authenticated device by user-roles policy?

    Posted May 24, 2024 10:08 AM

    Hello community,

    Client has a AOS-S 2530 switches through which printers are authenticated and clearpass returns printers local use role name. This printer user role has a policy with few  classes configured. There are some problems with those printers, and there is a need to understand what specific class or classes should be added to allow printers work correctly.

    Is there a way to debug which traffic is blocked by current user-role policy?

    Thank you for your support.



  • 2.  RE: How to debug which traffic is denied of authenticated device by user-roles policy?

    MVP
    Posted May 27, 2024 07:54 AM

    Sorry I think I misunderstood what you were asking, I second Herman's comment.



  • 3.  RE: How to debug which traffic is denied of authenticated device by user-roles policy?
    Best Answer

    EMPLOYEE
    Posted May 28, 2024 10:24 AM

    You may add an ACL entry at the bottom with deny + log:

    sw01-12p(config-ext-nacl)# deny ip any any log

    That should send logs of denied traffic to the switch log and possibly to a configured syslog server. Not 100% sure if a 2530 supports this, the example is from a 2930F.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: How to debug which traffic is denied of authenticated device by user-roles policy?

    Posted May 29, 2024 08:18 AM

    Thank you Herman, partner did your described approach, and it helped to identify which traffic was denied. Thank you.