Security

last person joined: 6 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass wired policy enforcement

This thread has been viewed 29 times

  • 1.  Clearpass wired policy enforcement

    Posted Jun 14, 2018 10:26 AM

    Hi community,

     

    I want to set up wired policy enforcement switch user-roles.

    We have an Aruba 2930f Switch with WC.16.05.0007 on it.

     

    we used the ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01.pdf to configure the switch and the cppm server.

    cppm version is 6.7.

     

    the user role download works fine on the switch.

    The access tracker shows radius accept but account doesn´t work fine.

    The Client cannot connet to the networks.

     

    The access tracker shows these output:

    1.png2.png3.png

    The Switch shows these:

    4.pngHas anyone an idea to fix this problem?

     

    Thanks



  • 2.  RE: Clearpass wired policy enforcement

    EMPLOYEE
    Posted Jun 14, 2018 10:31 AM
    Based on your screenshots, DUR is not in use. Does the role exist on the switch? Did you check show port-access clients?


  • 3.  RE: Clearpass wired policy enforcement

    Posted Jun 14, 2018 10:34 AM

    yes, these role exists on the switch, the other roles are downloadable roles...

    1.PNG



  • 4.  RE: Clearpass wired policy enforcement

    EMPLOYEE
    Posted Jun 14, 2018 10:36 AM
    You’d need to debug datapath on the switch side. If the client is being assigned the role, then everything is working correctly with ClearPass.


  • 5.  RE: Clearpass wired policy enforcement

    Posted Jun 14, 2018 10:44 AM

    the switch shows this:

     

    1.PNG

    can you send me the commands to show you the debug output?

     



  • 6.  RE: Clearpass wired policy enforcement

    Posted Jun 15, 2018 03:20 AM

    Hi Tim,

     

    I have seen that the instructions I have configured the things according to are from you.
    I started with the configuration on page 15, can it be that I left something important out in advance?

     

    @all
    Could someone help with debugging the problem?
    How do I enable debuging?
    What do I have to watch out for?

    Thank you very much.



  • 7.  RE: Clearpass wired policy enforcement

    EMPLOYEE
    Posted Jun 15, 2018 09:56 AM

    If you need someone to troubleshoot with you, it is probably best to reach out to your Aruba partner or to Aruba support.

     

    In the case you have an error in the return attributes or in the role content, what I have seen few times is that in the show port-access clients <port> detail, it says: rejected, no vlan. On how to troubleshoot that, I created a video: https://www.youtube.com/watch?v=IayTBrXVznE

     

    Key commands there on the switch are:

    debug destination session
debug event

    If that doesn't give enough, you can, in addition, debug the following:

    debug security port-access
debug security radius-server

    It is hard to tell what to look for as there is barely information in your reports. In my experience, watching these logs live as they come in, together with someone who has seen more of these logs is the most effective way to solve the issue. Reach out to your Aruba partner or Aruba TAC for such a live troubleshooting session if you can't make sense out of the debug logs.