Yeah, just been doing this. We used to have to do that on the OS-S switches when DURs 1st came out then they provided a config cmd to let the switch pull it from a cppm server Guess that’ll appear in CX eventually.
Original Message:
Sent: 3/6/2024 7:35:00 AM
From: jonas.hammarback
Subject: RE: Uploading CX fingerprints to cppm via RADIUS Accounting packets
When configuring a CX switch with CLI you have to do the TA profile manually as far as I know.
My guess is that Aruba think you should do the config from Central and push the certificate this way. But I have actually not tested this.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Mar 01, 2024 09:04 AM
From: alexs-nd
Subject: Uploading CX fingerprints to cppm via RADIUS Accounting packets
Next question
on our 2930 estate the firmware has a nifty command to store the clearpass root CA locally. With CX 10.13.1000 i downloaded and installed the root cert manually ( this is what we originally had to do on the aruba-os-s estate but then the helpful command apeared)
Luckily we dont have many Client facing CX switches, so manual upload not an issue ... but further down the line it would be.
Again have I missed a command or do i currently have to cerate a ta-profile and then upload the cert ?
A
Original Message:
Sent: Mar 01, 2024 08:10 AM
From: alexs-nd
Subject: Uploading CX fingerprints to cppm via RADIUS Accounting packets
never mind, found it. Page 701 in 10.13 security guide
vsa vendor
vsa vendor aruba type avpair group dfp-client-info {no} vsa vendor aruba type avpair group dfp-client-info
Description
This command enables AOS-CX integration with Aruba Clearpass by allowing the switch to send VendorSpecific Attributes (VSAs) for the Aruba vendor in RADIUS interim packets (such as accounting packets). Device fingerprints are sent to a ClearPass RADIUs server through accounting updates using ArubaAVPair(67) VSAs. When configured, device fingerprint information for an authenticated port-access client is obtained from protocols such as LLDP, DHCP, CDP, and HTTP and sent to RADIUS accounting interim packets.
Examples
The following command configures Clearpass integration using device fingerprinting information sent through RADIUS accounting updates.
switch(config)# aaa radius-attribute group radius switch(config-radius-attr)#vsa vendor aruba type avpair group dfp-client-info
Original Message:
Sent: Mar 01, 2024 07:52 AM
From: alexs-nd
Subject: Uploading CX fingerprints to cppm via RADIUS Accounting packets
When i wssn upgrading cppm to one of mthe 6.11 releases ( cant remember which) , the changes window said that this version of cppm supported device fingerpint upload from CX 10.13.x via radius accounting packets. I've now got 2 CX6300 switches running 10.13.1000 and want to try this out.
Been looking through the CX 10.13 security doc .. can find bits about device fingerprinting but nothing on what to do to upload via radius accounting .... release notes for 10.13.1000 dont show anything either
is it in a section of the security guide that I've missed ?
A