Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Uploading CX fingerprints to cppm via RADIUS Accounting packets

This thread has been viewed 9 times
  • 1.  Uploading CX fingerprints to cppm via RADIUS Accounting packets

    MVP EXPERT
    Posted Mar 01, 2024 07:52 AM

    When i wssn upgrading cppm to one of mthe 6.11 releases ( cant remember which) , the changes window said that this version of cppm supported device fingerpint upload from CX 10.13.x via radius accounting packets. I've now got 2 CX6300 switches running 10.13.1000 and want to try this out.

    Been looking through the CX 10.13 security  doc .. can find bits about device fingerprinting but nothing on what to do to upload via radius accounting ....  release notes for 10.13.1000 dont show anything either

    is it in a section of the security guide that I've missed ?

    A



  • 2.  RE: Uploading CX fingerprints to cppm via RADIUS Accounting packets

    MVP EXPERT
    Posted Mar 01, 2024 08:11 AM

    never mind, found it. Page 701 in  10.13 security guide

    vsa vendor

    vsa vendor aruba type avpair group dfp-client-info {no} vsa vendor aruba type avpair group dfp-client-info

    Description

    This command enables AOS-CX integration with Aruba Clearpass by allowing the switch to send VendorSpecific Attributes (VSAs) for the Aruba vendor in RADIUS interim packets (such as accounting packets). Device fingerprints are sent to a ClearPass RADIUs server through accounting updates using ArubaAVPair(67) VSAs. When configured, device fingerprint information for an authenticated port-access client is obtained from protocols such as LLDP, DHCP, CDP, and HTTP and sent to RADIUS accounting interim packets.

    Examples

    The following command configures Clearpass integration using device fingerprinting information sent through RADIUS accounting updates.

    switch(config)# aaa radius-attribute group radius switch(config-radius-attr)#vsa vendor aruba type avpair group dfp-client-info




  • 3.  RE: Uploading CX fingerprints to cppm via RADIUS Accounting packets

    MVP EXPERT
    Posted Mar 01, 2024 09:04 AM

    Next question

    on our 2930 estate the firmware has a  nifty command to store the clearpass root CA locally. With CX 10.13.1000 i downloaded and installed the root cert manually ( this is what we originally had to do on the aruba-os-s estate but then the helpful command apeared)

    Luckily we dont have many  Client facing CX switches, so manual upload not an issue ... but further down the line it would be.

    Again have I missed a command  or do i currently have to cerate a ta-profile and then upload the cert ?

    A




  • 4.  RE: Uploading CX fingerprints to cppm via RADIUS Accounting packets

    Posted Mar 06, 2024 07:35 AM

    When configuring a CX switch with CLI you have to do the TA profile manually as far as I know.

    My guess is that Aruba think you should do the config from Central and push the certificate this way. But I have actually not tested this.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Uploading CX fingerprints to cppm via RADIUS Accounting packets

    MVP EXPERT
    Posted Mar 06, 2024 07:41 AM
    Yeah, just been doing this. We used to have to do that on the OS-S switches when DURs 1st came out then they provided a config cmd to let the switch pull it from a cppm server Guess that’ll appear in CX eventually.

    Good job we haven’t an estate of CX switches needing DURs
    A