Network Management

Does anyone have an example Cisco IOS configuration that is working for AirWave to be able to poll/retrieve connected client/device information such as MAC address?  We are able to see various Cisco 2960 information including whether interfaces are up or down, but it shows 0 clients and we cannot locate clients by IP or MAC that are connected to the switch.  Currently, AirWave has access to the switch via a v2c community string and the telnet/ssh and enable credentials.  Thanks!

Airwave does not provide wired CLIENT visibility on Cisco devices.  It does provide visibility for connected network components that are monitored in airwave and if the switch has CDP turned on, neighbor visibility.

Thanks for the reply.  So anyone with a Cisco network infrastructure needs to see this and understand it, because it is a deal breaker if you are considering AirWave to be able to monitor anything of substance on your Cisco wired side network.  I guess the name "Air" Wave ought to tell you that, but it was not clear to us, especially in what we heard from sales.

jwhitaker,

You should go back to sales and have it clarified what your needs are in specific and they should be able to tell you what it can and cannot do.  My comments are generalizations based on your question.

Understood - and this is surely as much our fault as anyone's for not getting into gritty detail, but we are a Cisco shop like many that look at Aruba, and the general questions around "can we manage our Cisco wired switches with ClearPass and AirWave" was answered with "yes".  And yes, I can point Cisco switches at ClearPass to do dot1x and MAB Mac Auth Bypass authentication, and it appears that I can even push IOS config to them, but if I can't see what clients are connected to those switches then AirWave most certainly is not a solution to replace Bradford or whatever else I might have. 

In the end, I'm sure that Aruba doesn't care that I have Cisco gear - they'd rather me buy it all again as Aruba gear.  But that can't happen anytime soon, and it makes little technical sense that AirWave can show Aruba wired switch client information but not Cisco, aside from the obvious.  If you want to get into the door at a Cisco shop, that would certainly be a good place to start.

I'd be curious to know what others are using to monitor clients on their Cisco switches alongside AirWave.

jwhitaker,

If you are not authenticating users on the wired port, I know that we cannot show those users.  Let me check to see if we have visibility if you are doing MAB.

Based on our testing, no - we've got MAC authenticated devices connected and don't see them in AirWave.  To clarify, they are devices registered on ClearPass Guest via MACTrac (we are using this for students to be able to register their personal devices) and the switch is hitting ClearPass to try dot1x and then fallback to MAB.  I will hook up a laptop to do dot1x and see if that makes a difference.  Thanks for digging!

While you are playing with this, be aware that even if you do not do DHCP snooping on

the ciscos there is another feature called "ip device tracking" which will build essentially

an IP user table from snooped IP traffic.  That will drop the IP address into RADIUS accounting

even for static hosts.  Never tried it but I think they might support accounting without auth.

We currently don't use Airwave for wired other than the hospitality ports on APs, even on Aruba

switches, so I can't guarantee that will be useful, but it might be worth a try.  Full-network visibility

is more an authentication-server thing for us.

Interesting... with ip device tracking on, I see the Cisco switch port in the RADIUS request to ClearPass in the Radius:IETF:NAS-Port-Id field.  But I do not see the IP address that the device currently holds anywhere in the ClearPass acccess tracker record.  I do see the IP of the switch sending the RADIUS request.  Would you expect to see the device's IP somewhere in the RADIUS request?

On the switch, I can do:

show mac address-table interface GigabitEthernet 0/1

to see the connect device's MAC address for port 0/1.  But something like:

show ip arp

does not return anything related to connected devices because this is an access layer switch that is not really layer 3 capable.

Jwhitaker,

Unfortunately, we do not support viewing wired users on Cisco switches.  I checked.

In the access tracker, if the client already had an ip address, the radius parameter would be the "Framed-ip-address" parameter in the radius query .  In 802.1x typically the client does NOT have an ip address, so that would be blank.  It is also quite possible that the switch is not sending it.

Thanks for digging and getting a definitive answer.

A "show ip device tracking all" command shows the entries.

Normally when using DHCP snooping plus MAB or dot1x the switch

will eventually send an interim accounting update with the IP address

in it, I seem to recall.  That may also apply to device tracking.

Not sure what it does without MAB or dot1x though.

bjulin,

Thanks for those comments.  Would radius accounting need to be enabled for "show ip device tracking"?  I would assume it would be needed for interim accounting updates.

I wouldn't think the show command would rely on an "aaa accounting" statement,

but I've never tried.

Certainly you'd need a "aaa accounting" statement to send any rad acct packets at all,

and probably you'd want  "aaa accounting dot1x" which does more than the name implies

(we use it for MAB).  I've never played with the other statements to see what they might do.

We've done the aaa statements as described by Aruba for integration with ClearPass, and we see dot1x and then fallback to MAB (MAC auth bypass) successfully occur depending on what type of device we connect.  All of that integration with ClearPass seems to work fine.  But it would be nice to be able to see connected device information in AirWave, which is how this thread got started.

I do not have dhcp snooping available, but do have ip device tracking on, and here's what I see:

cppm-test#show ip device tracking all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
---------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
---------------------------------------------------------------------

Total number interfaces enabled: 1
Enabled interfaces:
Gi0/1

but I do not see any IP address information.  

Are you sure you are passing IP traffic up Gi0/1?

Yes - I have an AppleTV connected to it that did MAC auth to ClearPass to get connected to the switch.

Well, although I'm not entirely confident an AppleTV will use anything but multicast

junk on its own, and MAC auth does not necessarily require an addressed IP packet,

let's assume that's OK.

The only additional statement we have is the global "ip device tracking probe interval 60"

We do have a couple ports with "ip verify source tracking" but that should not matter.

Could be a version thing.  Cisco seems to love to break AAA features over and over again,

so you have to re-test them all every release.

Hooked up a laptop, same results - no IP information, but see the MAC as before.