Security

Reply
Frequent Contributor II

Re: ClearPass Solution Guide: Wired Policy Enforcement

Hi!

 

Would be nice to have a list of switches that fully support this setup within the Aruba family. I´ve tested with 2920, but is also 2530 supported ? 2540 ?


ACMP | ACCP
MVP Expert

Re: ClearPass Solution Guide: Wired Policy Enforcement


@Gonzwrote:

Hi!

 

Would be nice to have a list of switches that fully support this setup within the Aruba family. I´ve tested with 2920, but is also 2530 supported ? 2540 ?


Yes good idea..

No support of DUR on PPTN/PPUN for 2530 :(




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5

Re: ClearPass Solution Guide: Wired Policy Enforcement

Probably should be a separate thread. Was curious how much of a difference is there between IBNS 1.0 and IBNS 2.0 for Cisco (new area for both the wireless and wired team)? We're looking into moving to Clearpass for wired device registration (Mac Auth) for the Residence Halls with the use of dACLs. Majority of the cisco access switches running a IOS-XE 3.06.06. Wasn't sure if it's best to configure with what the current tech note has (thank you for this document) IBNS 1.0 - or if should try to configure with IBNS 2.0?

I should also phrase that my question is assuming that IBNS 1.0 and IBNS 2.0 are separate "module versions"/deployment methods where one can be deployed over the other on IOS-XE (legacy support) - or is it more IBNS 2.0 replaces IBNS 1.0 fully on newer versions?

Guru Elite

Re: ClearPass Solution Guide: Wired Policy Enforcement

IBNS 2.0 is a new configuration model that provides if/then like functionality for port control.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Col
Occasional Contributor II

Re: ClearPass Solution Guide: Wired Policy Enforcement

Hi Tim, I am trying Cisco Catalyst (IOS) Enforcement RADIUS-based Enforcement. My WIN10 wired client gets the redirect (ClearPass Guest URL + client MAC) in its browser but with certificate trust errors. The certificate that client is not trusting is the Cisco switch self signed cert. What do I need to do?
Col
Occasional Contributor II

Re: ClearPass Solution Guide: Wired Policy Enforcement

Hi Tim,

I am trying Cisco Catalyst (IOS) Enforcement RADIUS-based Enforcement. My WIN10 wired client gets the redirect (ClearPass Guest URL + client MAC) in its browser but with certificate trust errors. The certificate that client is not trusting is the Cisco switch self signed cert. What do I need to do?

Col
Occasional Contributor II

Re: ClearPass Solution Guide: Wired Policy Enforcement

Problem solved.

The first ACL statement on the Cisco switch must block the wired client from accessing to the ClearPass captive portal (Guest). If you do not have that then the wired Client is able to talk directly to ClearPass. With the Cisco switch in the middle proxying the traffic you just end up in a weird HTTP redirect loop (HTTP 302).

 

This solution guide has the reuqired config. Please dont miss the details like I did :)

Frequent Contributor I

Re: ClearPass Solution Guide: Wired Policy Enforcement

Do you guys know if layer 3 for the user vlan needs to live in the access switch for url-redirect to work? 2 years ago this was required on Cisco 2960X switches, which is not scalable in larger deployments as usually layer 3 is on the upstream core switches.
Thanks!
Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Frequent Contributor II

Re: ClearPass Solution Guide: Wired Policy Enforcement

Yes, atleast to be able to redirect the traffic on a ArubaOS Switch. Doesn't need to be default gw of the client though so we've just setup a quarantine network were the switches have a ip and then the client gets an temporary ip, works pretty well.


ACMP | ACCP
Frequent Contributor II

Re: ClearPass Solution Guide: Wired Policy Enforcement

The 2540 does seem to have trouble with login in the guest / changing to guest vlan after webregistration in my labs. Anyone got the 2540 working ? (Same config works fine for 2920 for me)


ACMP | ACCP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: