Network Management

But for some reason they don't show any connected clients in Airwave.

My Airwave is currently set in Monitor-Only mode. Switches connected via SNMP v2 (don't think they support v3 yet)

But if I look into my switches they also don't show me any clients connected. Am I missing something?

Traffic shows up, just no clients...

What version of software are the switches running? What version of Airwave? 

Try a manual "poll now", you can also try deleting the device and re-adding it, I've had Airwave get funky sometimes when adding devices.

As a side note, the 2930F should support snmpv3 (although it shouldn't make a difference in this case)

Heh so apparently they're not F-series but M-series...

According to the data that Airwave's picking up;

Aruba 2930M-48G-PoE+

Firmware WC.16.07.0003 (ROM: WC.17.02.0006)

Airwave is on the latest version 8.2.10.0

Don't know if it matters but we're managing everything with Clearpass.

But I think the issue is located at the switches themselves, when I look at them via the webgui, Security > Clients

it's just saying

"

Are you using user-roles? If so, does "show port-access clients" show anything?

If not using user-roles, you can do show port-access <authenticator> or <mac-based>

The other thing to check is if you have "ip client-tracker trusted" enabled in the config


That hardware definetely supports snmpv3 (Again, shouldn't matter, just more of a FYI)
snmpv3 enable

snmpv3 user <username> auth <type> <password> priv <type> <password>
snmpv3 group managerpriv user <username> sec-model ver3

Are you using user-roles? No, I don't see any user-roles configured.

If not using user-roles, you can do show port-access <authenticator> or <mac-based>

We don't do mac-based auth on switch level, so I guess I'll need this <authenticator>-thing though I have no clue what that should be... 

EDIT: hmm looks to me no authenticator is configured...

show port-access authenticator

gives me the following;

Port-access authenticator activated [No] : No
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Use LLDP data to authenticate [No] : No

The other thing to check is if you have "ip client-tracker trusted" enabled in the config

It's there in the config alright, is ip client-tracker trusted enough? We also have ip client-tracker probe-delay 270 but that seems rather harmless of a setting...

I may be wrong(if so someone please correct me), but I thought clients would only show up if they get authenticated via port-access (either with user-roles, dot1x or mac auth)

What does show port-access summary show?

As a comparison, mine looks like this

Hmm so we need to setup port-access auth if we want to see some IP's showing up here... I think we only have VLANS configured in the switches and manage the rest of it via Clearpass. Though I hardly think there's any managing going on atm...

That's showing that there isn't any authentication taking place on any of the ports. Is that intentional? You said these are managed by clearpass, so I would assume you want them doing RADIUS?

I thought that the client list (in both airwave and the web GUI) would be empty unless some form of authentication took place. (I don't have any documentation to back that up, that's just what I've noticed and thought)

Intentional? No idea, I can't see why we wouldn't want this. We hire consultants to come and configure this for us...

show authentication gives me this;

Your reaction leads me to believe that our switches are only configured for 1/3 or so... *sigh*

If you have clearpass, and you want it to authenticate the devices plugging in, then these are not configured fully.

The first step is to make sure that clearpass is defined

"show radius"

that should show your Clearpass server IP(s)

If they are in there, you should be able to run this command against a specific interface to turn on MAC Authentication

aaa port-access mac-based <interface>

Then if you plug a device in, it should show up in Clearpass, and hopefully, the client list.

There's a great document on getting all that set up here

*I did test with one of my switches, and a client doesn't show up in the security>clients list unless it did authentication - running version 16.08.0003*

had a talk with my colleague about this, apparently this setup is intentional and indeed as long as we don't setup NAC we won't be able to identify clients... So this ends up on our todo-list... 2020?

Thanks again for the info.