Security

last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass and Cisco switch intgration

This thread has been viewed 5 times

  • 1.  Clearpass and Cisco switch intgration

    Posted Sep 11, 2016 06:21 AM

    We have a publisher and subscriber setup where publlisher is in DC and subscriber is in branch office. They are connected over mpls. Subscriber is a primary radius server for all cisco switches. Publisher IP address is also configured as a backup radius server. However we have seen some switches sends radius requests to back up radius server (publisher) even when subscriber is up and running. which caues mpls link utilization. Please help, here is the switch configuration.

     

    ip device tracking
    aaa new-model
    aaa authorization network default local group radius
    radius-server vsa send authentication
    radius-server host <CPPM IP> auth-port 1812 acct-port 1813 key <secret key>
    radius-server host <CPPM IP> key 7 <secret key>
    radius-server host <CPPM IP> key 7 <secret key>
    radius-server retry method reorder
    radius-server retransmit 3
    radius-server timeout 15
    radius-server deadtime 15
    aaa authentication dot1x default group radius local
    aaa authorization network default local group radius
    aaa authorization auth-proxy default group radius
    aaa accounting dot1x default start-stop group radius
    dot1x system-auth-control
    !
    aaa server radius dynamic-author
    client <CPPM IP> server-key <secret key>

    port 3799
    auth-type all
    !
    ip access-list extended CPG
    deny tcp any host <CPPM IP>
    permit tcp any any
    !
    interface GigabitEthernet1/0/12
    switchport access vlan <VLAN>
    switchport mode access
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 3
    dot1x max-reauth-req 2
    dot1x max-req 2
    dot1x timeout supp-timeout 20
    spanning-tree portfast
    !



  • 2.  RE: Clearpass and Cisco switch intgration

    EMPLOYEE
    Posted Sep 11, 2016 10:55 AM

    You first need to find out why the Cisco switch chooses to send information to the publisher.



  • 3.  RE: Clearpass and Cisco switch intgration

    Posted Sep 12, 2016 01:37 AM

    Hi Joseph,

    Thanks for the reply..

    I am suspecting that the switch declares primary server as dead so directs requests to back up servers. Is there any way to check why it declares the primary server as dead?

    Is above configured timeout intervals are ok?



  • 4.  RE: Clearpass and Cisco switch intgration

    EMPLOYEE
    Posted Sep 12, 2016 05:47 AM

    Honestly, it depends on your network.  To me that looks reliable enough, but the question is, what is the bandwidth on your circuit?  You would have to look at debugging on the Cisco Switch to determine why it is making that decision.