Security

Reply
Frequent Contributor I

Clearpass profiling bridged access points

Hi,

 

For a customer I'm trying to figure out the following.

 

The idea is automatice configuration of HP switches by profiling the devices and assign vlans through policies. I used a guide I found here. Most of it works great but I encountered something I'm not able to figure out.

 

Customer uses locally bridging access points. They are profiling fine and the switchport receives the propper tagged and untagged vlans

 

When a 802.1X client connects to the wifi, it gets authenticated by the wifi controller but the switch also does profiling. Even with a rule added to allow through roles [user authenticated] and [machine authenticated], the switchport won't open. The client doesn't receive a DHCP address and with a fixed address I cannot ping the gateway.

 

A new mac address connecting through wifi gets blocked by the switch altogether because the endpoint is not known and you can only set a single CoA action in the profiler.

 

It looks like the switchport won't open or the traffic is not receiving the right vlan tag. Show port-acces client details only shows the AP mac address, authentication type is mac-based.

 

I expected it to work the same like a VoIP phone where a wired device is connected to. the phone gets mac-based authentication and the wired client gets port-based authenticated.

 

I'm simulating this using a 7005 and a 105 in bridge mode in my lab. I'm using a 2930F version 16.03. vlans are tagged on uplinkport.

 

anyone got bridged AP profiling working?

 

ACDX#968, ACMP, ACCP
New Contributor

Re: Clearpass profiling bridged access points

Hi I have several customers complaining about this. Your options are limited:

To use 802.1X supplicant on the access point and set the hpe port to 802.1X port-based authentication. This works for role-based auth and standard auth. Not all AP vendors have DOT1X supplicants and you will need to upload the CA cert to AP for the CPPM RADIUS Cert.

 

or

 

Send back Attribute from ClearPass setting the port mode to Port-based mac-authentication - you can not use Role Based authentication for this. I do not know why the feature is not available for role-based authentication.

 

or

 

You can use Role-based authentication but you are restricted to 1 untagged VLAN and 1 tagged VLAN, but this is useless for customers locally bridging Access Points.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: