New Contributor

First ClearPass installation: problems with wired mac authentication

Dear community,


today I made my first expierience with Aruba Clearpass.

At first I would like to use a simple wired mac authentication configuration.


If an endpoint has a special attribut, e.g. "VOIP" he will receive a special VLAN and the session will be authenticated on the switch port.


I already created the roles, role mappings, profiles and a policy.




In the access tracker we can see, that the client on the switch has been authenticated successfully and that the correct VLAN has been send to the switch: Radius Response: "Radius:Aruba:Aruba-User-Vlan 230"



But on the switch we do not see the correct VLAN. Only the following:


switch-stack-3# sh port-access 1/11 mac-based clients detailed

Port Access MAC-Based Client Status Detailed

Client Base Details :
Port : 1/11
Client Status : authenticated Session Time : 6 seconds
MAC Address : 805ec0-1b84d3 Session Timeout : 0 seconds
IP : n/a

Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : 1 Out Limit Kbps : Not Set
Tagged VLANs : No Tagged VLANs
Port Mode : 100FDx Auth Mode : User-based
RADIUS ACL List : No Radius ACL List

Auth Order : Not Set
Auth Priority : Not Set
LMA Fallback : Disabled


The switch configuration looks like this:


switch-stack-3# sh run | inc radius
radius-server host 172.X.X.X key "secret"
radius-server host 172.X.X.X dyn-authorization
radius-server host 172.X.X.X time-window 600
aaa authentication port-access eap-radius


interface 1/11
untagged vlan 1
aaa port-access mac-based
aaa port-access mac-based addr-limit 2
aaa port-access mac-based addr-moves
aaa port-access mac-based unauth-vid 999


Has anybody an idea what could be wrong?


Thanks and best regards


Occasional Contributor II

Re: First ClearPass installation: problems with wired mac authentication

Hi Alex


Which switches are you using here? When I last checked, even though HP have rebranded their switches as Aruba, you cannot use the Aruba VSAs to send back a VLAN.


Can you change your enforcement profile to return the IETF:Tunnel-Private-Group-ID with VLAN 250 instead? You may also need to add RADIUS:IETF:Tunnel-Type=VLAN and RADIUS:IETF:Tunnel-Medium-Type=IEEE802.


There is an excellent document that details a lot of this stuff here:

New Contributor

Re: First ClearPass installation: problems with wired mac authentication

Hi Dave!


Thanks for your feedback! That was exactly the problem. I use Aruba 2930F switches. But you are right, they are more HP than Aruba. :-)


After I switched to RADIUS:IETF everything worked properly.


The PDF is very nice! Thanks a lot!


Best Regards.

Search Airheads
Showing results for 
Search instead for 
Did you mean: