Security

Hello Everyone,

We need to trigger enforcements after adding/editing the Endpoint attributes.

Is there an easy way or do we need to edit the whole process to profile our endpoints manualy ?

Currently clearpass is configured as following:

Switch Aruba 6100 - MAC Auth

Service:

Role Mapping:

Enforcement:

Thanks

To be able to trigger an enforcement profile after you have updated an attribute in Endpoint db, you need to generate a new auth request.
You can do that by have a switch-port bounce in either enforcement policy or use profiler and trigger a specific classification with a port bounce.
Generally port bounce will cause the device to reconnect resulting in a new auth request.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Aug 05, 2022 04:41 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Hello Everyone,

We need to trigger enforcements after adding/editing the Endpoint attributes.

Is there an easy way or do we need to edit the whole process to profile our endpoints manualy ?

Currently clearpass is configured as following:

Switch Aruba 6100 - MAC Auth

Service:

Role Mapping:

Enforcement:

Thanks

Hi ariyap,

ive tried the enforcement profile with setting the device to known in the endpoint db.

After editing the attribute nothing happens.

Do i miss something ?
Original Message:
Sent: Aug 05, 2022 07:07 AM
From: Ariya Parsamanesh
Subject: Trigger Enforcement after adding/editing Endpoint attribute

To be able to trigger an enforcement profile after you have updated an attribute in Endpoint db, you need to generate a new auth request.
You can do that by have a switch-port bounce in either enforcement policy or use profiler and trigger a specific classification with a port bounce.
Generally port bounce will cause the device to reconnect resulting in a new auth request.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 05, 2022 04:41 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Hello Everyone,

We need to trigger enforcements after adding/editing the Endpoint attributes.

Is there an easy way or do we need to edit the whole process to profile our endpoints manualy ?

Currently clearpass is configured as following:

Switch Aruba 6100 - MAC Auth

Service:

Role Mapping:

Enforcement:

Thanks

as i said earlier, the enforcement policy that runs the post auth update endpoint attribute to known, should be configured to run a switch port bounce enforcement profile.
The switch port bounce will force the client to reauth that generates a new auth session which should then match your condition for endpoint status = known.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Aug 08, 2022 03:41 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Hi ariyap,

ive tried the enforcement profile with setting the device to known in the endpoint db.

After editing the attribute nothing happens.

Do i miss something ?
Original Message:
Sent: Aug 05, 2022 07:07 AM
From: Ariya Parsamanesh
Subject: Trigger Enforcement after adding/editing Endpoint attribute

To be able to trigger an enforcement profile after you have updated an attribute in Endpoint db, you need to generate a new auth request.
You can do that by have a switch-port bounce in either enforcement policy or use profiler and trigger a specific classification with a port bounce.
Generally port bounce will cause the device to reconnect resulting in a new auth request.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 05, 2022 04:41 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Hello Everyone,

We need to trigger enforcements after adding/editing the Endpoint attributes.

Is there an easy way or do we need to edit the whole process to profile our endpoints manualy ?

Currently clearpass is configured as following:

Switch Aruba 6100 - MAC Auth

Service:

Role Mapping:

Enforcement:

Thanks

Right.

Ive configured as you told above. 

I think the problem is that the port bounce not happens.
I can not see any bounce

Original Message:
Sent: Aug 08, 2022 05:50 AM
From: Ariya Parsamanesh
Subject: Trigger Enforcement after adding/editing Endpoint attribute

as i said earlier, the enforcement policy that runs the post auth update endpoint attribute to known, should be configured to run a switch port bounce enforcement profile.
The switch port bounce will force the client to reauth that generates a new auth session which should then match your condition for endpoint status = known.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 08, 2022 03:41 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Hi ariyap,

ive tried the enforcement profile with setting the device to known in the endpoint db.

After editing the attribute nothing happens.

Do i miss something ?
Original Message:
Sent: Aug 05, 2022 07:07 AM
From: Ariya Parsamanesh
Subject: Trigger Enforcement after adding/editing Endpoint attribute

To be able to trigger an enforcement profile after you have updated an attribute in Endpoint db, you need to generate a new auth request.
You can do that by have a switch-port bounce in either enforcement policy or use profiler and trigger a specific classification with a port bounce.
Generally port bounce will cause the device to reconnect resulting in a new auth request.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 05, 2022 04:41 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Hello Everyone,

We need to trigger enforcements after adding/editing the Endpoint attributes.

Is there an easy way or do we need to edit the whole process to profile our endpoints manualy ?

Currently clearpass is configured as following:

Switch Aruba 6100 - MAC Auth

Service:

Role Mapping:

Enforcement:

Thanks

Can you see the 'RADIUS Dynamic Authorization' tab in Access Tracker for these clients?
Can you successfully do a (manual) 'Change Status' from Access Tracker and do the AOS-CX Bounce Switch port successfully?
Can you double-check that the Network Device (NAD) in ClearPass is set to vendor Aruba? If it is not, the AOS-CX - Bounce Switch Port will be ignored.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 08, 2022 05:56 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Right.

Ive configured as you told above. 

I think the problem is that the port bounce not happens.
I can not see any bounce

Original Message:
Sent: Aug 08, 2022 05:50 AM
From: Ariya Parsamanesh
Subject: Trigger Enforcement after adding/editing Endpoint attribute

as i said earlier, the enforcement policy that runs the post auth update endpoint attribute to known, should be configured to run a switch port bounce enforcement profile.
The switch port bounce will force the client to reauth that generates a new auth session which should then match your condition for endpoint status = known.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 08, 2022 03:41 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Hi ariyap,

ive tried the enforcement profile with setting the device to known in the endpoint db.

After editing the attribute nothing happens.

Do i miss something ?
Original Message:
Sent: Aug 05, 2022 07:07 AM
From: Ariya Parsamanesh
Subject: Trigger Enforcement after adding/editing Endpoint attribute

To be able to trigger an enforcement profile after you have updated an attribute in Endpoint db, you need to generate a new auth request.
You can do that by have a switch-port bounce in either enforcement policy or use profiler and trigger a specific classification with a port bounce.
Generally port bounce will cause the device to reconnect resulting in a new auth request.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 05, 2022 04:41 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Hello Everyone,

We need to trigger enforcements after adding/editing the Endpoint attributes.

Is there an easy way or do we need to edit the whole process to profile our endpoints manualy ?

Currently clearpass is configured as following:

Switch Aruba 6100 - MAC Auth

Service:

Role Mapping:

Enforcement:

Thanks

Hi Herman !

Can you see the 'RADIUS Dynamic Authorization' tab in Access Tracker for these clients?

No, its missing:

Can you successfully do a (manual) 'Change Status' from Access Tracker and do the AOS-CX Bounce Switch port successfully?

Yes, this is working fine 


Device on Port 1/1/3

...

Can you double-check that the Network Device (NAD) in ClearPass is set to vendor Aruba? If it is not, the AOS-CX - Bounce Switch Port will be ignored.


Original Message:
Sent: Aug 08, 2022 09:07 AM
From: Herman Robers
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Can you see the 'RADIUS Dynamic Authorization' tab in Access Tracker for these clients?
Can you successfully do a (manual) 'Change Status' from Access Tracker and do the AOS-CX Bounce Switch port successfully?
Can you double-check that the Network Device (NAD) in ClearPass is set to vendor Aruba? If it is not, the AOS-CX - Bounce Switch Port will be ignored.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 08, 2022 05:56 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Right.

Ive configured as you told above. 

I think the problem is that the port bounce not happens.
I can not see any bounce

Original Message:
Sent: Aug 08, 2022 05:50 AM
From: Ariya Parsamanesh
Subject: Trigger Enforcement after adding/editing Endpoint attribute

as i said earlier, the enforcement policy that runs the post auth update endpoint attribute to known, should be configured to run a switch port bounce enforcement profile.
The switch port bounce will force the client to reauth that generates a new auth session which should then match your condition for endpoint status = known.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 08, 2022 03:41 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Hi ariyap,

ive tried the enforcement profile with setting the device to known in the endpoint db.

After editing the attribute nothing happens.

Do i miss something ?
Original Message:
Sent: Aug 05, 2022 07:07 AM
From: Ariya Parsamanesh
Subject: Trigger Enforcement after adding/editing Endpoint attribute

To be able to trigger an enforcement profile after you have updated an attribute in Endpoint db, you need to generate a new auth request.
You can do that by have a switch-port bounce in either enforcement policy or use profiler and trigger a specific classification with a port bounce.
Generally port bounce will cause the device to reconnect resulting in a new auth request.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 05, 2022 04:41 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Hello Everyone,

We need to trigger enforcements after adding/editing the Endpoint attributes.

Is there an easy way or do we need to edit the whole process to profile our endpoints manualy ?

Currently clearpass is configured as following:

Switch Aruba 6100 - MAC Auth

Service:

Role Mapping:

Enforcement:

Thanks

In the first screenshot, Access Tracker, I don't see in Enforcement the [AOS-CX Bounce Switch Port] in the list, but it could be that it is just scrolled out of the window. Is it there?

BTW, regardless if it is there, or not, it may be best to open a case with support to run some interactive view through your policy/configuration to see what is wrong. Manual CoA works, so there is no good reason why an automatic CoA through the policy wouldn't work (provided the policy is triggered and you didn't by accident select a different enforcement policy that doesn't include the CoA).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 08, 2022 09:45 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Hi Herman !

Can you see the 'RADIUS Dynamic Authorization' tab in Access Tracker for these clients?

No, its missing:

Can you successfully do a (manual) 'Change Status' from Access Tracker and do the AOS-CX Bounce Switch port successfully?

Yes, this is working fine 


Device on Port 1/1/3

...

Can you double-check that the Network Device (NAD) in ClearPass is set to vendor Aruba? If it is not, the AOS-CX - Bounce Switch Port will be ignored.


Original Message:
Sent: Aug 08, 2022 09:07 AM
From: Herman Robers
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Can you see the 'RADIUS Dynamic Authorization' tab in Access Tracker for these clients?
Can you successfully do a (manual) 'Change Status' from Access Tracker and do the AOS-CX Bounce Switch port successfully?
Can you double-check that the Network Device (NAD) in ClearPass is set to vendor Aruba? If it is not, the AOS-CX - Bounce Switch Port will be ignored.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 08, 2022 05:56 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Right.

Ive configured as you told above. 

I think the problem is that the port bounce not happens.
I can not see any bounce

Original Message:
Sent: Aug 08, 2022 05:50 AM
From: Ariya Parsamanesh
Subject: Trigger Enforcement after adding/editing Endpoint attribute

as i said earlier, the enforcement policy that runs the post auth update endpoint attribute to known, should be configured to run a switch port bounce enforcement profile.
The switch port bounce will force the client to reauth that generates a new auth session which should then match your condition for endpoint status = known.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 08, 2022 03:41 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Hi ariyap,

ive tried the enforcement profile with setting the device to known in the endpoint db.

After editing the attribute nothing happens.

Do i miss something ?
Original Message:
Sent: Aug 05, 2022 07:07 AM
From: Ariya Parsamanesh
Subject: Trigger Enforcement after adding/editing Endpoint attribute

To be able to trigger an enforcement profile after you have updated an attribute in Endpoint db, you need to generate a new auth request.
You can do that by have a switch-port bounce in either enforcement policy or use profiler and trigger a specific classification with a port bounce.
Generally port bounce will cause the device to reconnect resulting in a new auth request.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 05, 2022 04:41 AM
From: Dennis Werz
Subject: Trigger Enforcement after adding/editing Endpoint attribute

Hello Everyone,

We need to trigger enforcements after adding/editing the Endpoint attributes.

Is there an easy way or do we need to edit the whole process to profile our endpoints manualy ?

Currently clearpass is configured as following:

Switch Aruba 6100 - MAC Auth

Service:

Role Mapping:

Enforcement:

Thanks