Wired Intelligent Edge

 View Only
  • 1.  Policy outbound

    Posted Feb 27, 2024 10:25 AM

    We are using Aruba CX 6000 / 6100 integration with clearpass

    Testing 802.1x authentication with some Network Camera. To deploy certs on the camera a remote server needs to https the camera.

    In a case where the new camera is connected to the sw the authentication will fail (no certificate available). For most of the other devices we are putting on a default vlan with limited access, but on this case the IP of the camera need to be configured on a static way on the server.

    With the Policies on the role, is it possible to apply a oubound rule ( to allow the server to connect the camera) or only a inbound rule? I tested with the any any on the class policy but no results.

    Are the port access Policies fully compatible with cx6100?

    Regards



  • 2.  RE: Policy outbound

    Posted Feb 28, 2024 07:07 AM

    The problem here probably is that the return traffic from the camera back to the remote server does not match the role/policy. You may use the established command, source port (which is 443 for the camera), or IP address of the remote server as destination, or better a combination of all to make this work. If there is a stateful firewall in between, just the remote-server's IP would suffice.

    ACLs on roles are typically inbound to the switch, so from camera (which is the authenticated device) towards the switch/rest of the network. Not sure if you can deploy outbound ACLs, but it is quite uncommon and the strategy above should allow you to make this work and lock down the access while allowing the needed traffic. Running a packet capture on the traffic that needs to be allowed (temporarily allow everything) may help to get the correct parameters (source port, destination IP, established flag for TCP).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------