Security

Hello,

Have somebody an howtodo to setup a 2930F 802.1X clearpass authentication?

At this time we just try to see a radius query in the log of the clearpass but we have nothing 

The switch is running version 16.10.03

Thank you

Michel

Have you followed the below? Its an excellent video and shows you how to configure accordingly. Have you checked the event viewer and confirmed the NAD details are correct of the switch?

*EDIT - Would help if I added the link  

https://www.youtube.com/watch?v=GWgfHCkDHMM&t=29s

Can you please send me the link to show the video?

Thank you

Michel

We folow this video

But it doesn't work

Perhaps the problem is linked that on the ClearPass VM we have only connect the management interface

Do we need to make it work using the data port?

Michel

You should ensure that the VM NICs are connected, you do not need an IP on the data interface if you are not using. Have you checked the Event logged for any NAD errors?

Can you share what you see in Access Tracker when the requests comes in to ClearPass?

Does it show up in Access Tracker?

Does it match the correct (expected) service?

Does the authentication succeed?

What is the enforcement returned?

In case you prefer not to share that information in a public forum like this, please work with Aruba Support.

I typically only use the management port on ClearPass and disable the data port by not putting any IP on it. Data port should be used only in cases where you absolutely need it, and understand how it exactly works. So there is no need to configure the data port in your case.

Hello,

I back to the endcustomer today

We setup a dedicated network for the switch management 10.100.100.0/24

The switch is using 10.100.100.45 and learpass data port is setup with 10.100.100.1

The config switch is :

LABO_CLEARPASS# sh run

Running configuration:

; JL356A Configuration Editor; Created on release #YC.16.10.0003
; Ver #14:27.44.38.04.99.03.b3.b8.ef.74.61.fc.68.f3.8c.fc.e3.ff.37.2f:33

hostname "LABO_CLEARPASS"
module 1 type jl356a
radius-server host 10.100.100.1 key "Azerty123"
radius-server host 10.100.100.1 dyn-authorization
timesync sntp
sntp unicast
sntp server priority 1 134.59.1.5
time daylight-time-rule western-europe
time timezone 60
ip default-gateway 172.17.66.254
snmp-server community "public" unrestricted
aaa server-group radius "clearpass" host 10.100.100.1
aaa authentication rest login radius
aaa authentication rest enable radius
aaa port-access authenticator 23-24
aaa port-access authenticator 23 auth-vid 1
aaa port-access authenticator 23 unauth-vid 3
aaa port-access authenticator 23 client-limit 3
aaa port-access authenticator 24 auth-vid 1
aaa port-access authenticator 24 unauth-vid 3
aaa port-access authenticator 24 client-limit 3
aaa port-access authenticator active
vlan 1
name "DEFAULT_VLAN"
untagged 1-28
ip address 172.17.64.45 255.255.0.0
ipv6 enable
ipv6 address dhcp full
exit
vlan 3
name "Poubelle"
no ip address
exit
vlan 500
name "MGNT-SWITCH"
tagged 2
ip address 10.100.100.45 255.255.255.0
exit

LABO_CLEARPASS#

Nothing in the Access Traker, but I think I have a problem with the switch configuration because I see only that :

ABO_CLEARPASS# sh radius authentication

Status and Counters - RADIUS Authentication Information

NAS Identifier : LABO_CLEARPASS
Invalid Server Addresses : 0
UDP
Server IP Addr Port Timeouts Requests Challenges Accepts Rejects
--------------- ----- ---------- ---------- ---------- ---------- ----------
10.100.100.1 1812 0 0 0 0 0

Michel

Quick view shows that you didn't enable RADIUS for the network authentication. So switch will not even send the RADIUS requests.

Please check the ClearPass Solution Guide for Wired Policy Enforcement for the different scenarios and required configuration:

Not better with this setting :

LABO_CLEARPASS# sh run

Running configuration:

; JL356A Configuration Editor; Created on release #YC.16.10.0003
; Ver #14:27.44.38.04.99.03.b3.b8.ef.74.61.fc.68.f3.8c.fc.e3.ff.37.2f:33

hostname "LABO_CLEARPASS"
module 1 type jl356a
radius-server host 10.100.100.1 key "Azerty123"
radius-server host 10.100.100.1 dyn-authorization
timesync sntp
sntp unicast
sntp server priority 1 134.59.1.5
time daylight-time-rule western-europe
time timezone 60
ip default-gateway 172.17.66.254
snmp-server community "public" unrestricted
aaa server-group radius "clearpass" host 10.100.100.1
aaa accounting update periodic 5
aaa accounting network start-stop radius server-group "clearpass"
aaa authentication rest login radius server-group "clearpass"
aaa authentication rest enable radius server-group "clearpass"
aaa authentication port-access eap-radius server-group "clearpass"
aaa authentication mac-based chap-radius server-group "clearpass"
aaa port-access authenticator 23-24
aaa port-access authenticator 23 auth-vid 1
aaa port-access authenticator 23 unauth-vid 3
aaa port-access authenticator 23 client-limit 3
aaa port-access authenticator 24 auth-vid 1
aaa port-access authenticator 24 unauth-vid 3
aaa port-access authenticator 24 client-limit 3
aaa port-access authenticator active
vlan 1
name "DEFAULT_VLAN"
untagged 1-28
ip address 172.17.64.45 255.255.0.0
ipv6 enable
ipv6 address dhcp full
exit
vlan 3
name "Poubelle"
no ip address
exit
vlan 500
name "MGNT-SWITCH"
tagged 2
ip address 10.100.100.45 255.255.255.0
exit

LABO_CLEARPASS#

Can we just check your ports are correctly configured for 802.1X as well?

#show port-access config

Hello,

The problem was just that the computer that we use haven't the 802.1x activate

We miss to check this simple point 

Thank for your help

Michel