Security

 View Only
last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

How to debug which traffic is denied of authenticated device by user-roles policy?

This thread has been viewed 17 times
  • 1.  How to debug which traffic is denied of authenticated device by user-roles policy?

    Posted 19 days ago

    Hello community,

    Client has a AOS-S 2530 switches through which printers are authenticated and clearpass returns printers local use role name. This printer user role has a policy with few  classes configured. There are some problems with those printers, and there is a need to understand what specific class or classes should be added to allow printers work correctly.

    Is there a way to debug which traffic is blocked by current user-role policy?

    Thank you for your support.



  • 2.  RE: How to debug which traffic is denied of authenticated device by user-roles policy?

    MVP
    Posted 16 days ago

    Sorry I think I misunderstood what you were asking, I second Herman's comment.



  • 3.  RE: How to debug which traffic is denied of authenticated device by user-roles policy?
    Best Answer

    EMPLOYEE
    Posted 15 days ago

    You may add an ACL entry at the bottom with deny + log:

    sw01-12p(config-ext-nacl)# deny ip any any log

    That should send logs of denied traffic to the switch log and possibly to a configured syslog server. Not 100% sure if a 2530 supports this, the example is from a 2930F.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: How to debug which traffic is denied of authenticated device by user-roles policy?

    Posted 14 days ago

    Thank you Herman, partner did your described approach, and it helped to identify which traffic was denied. Thank you.