Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

First ClearPass installation: problems with wired mac authentication

This thread has been viewed 11 times

  • 1.  First ClearPass installation: problems with wired mac authentication

    Posted Feb 04, 2019 11:20 AM

    Dear community,

     

    today I made my first expierience with Aruba Clearpass.

    At first I would like to use a simple wired mac authentication configuration.

     

    If an endpoint has a special attribut, e.g. "VOIP" he will receive a special VLAN and the session will be authenticated on the switch port.

     

    I already created the roles, role mappings, profiles and a policy.

    E1.PNG

    E2.PNG

    E3.PNG

    In the access tracker we can see, that the client on the switch has been authenticated successfully and that the correct VLAN has been send to the switch: Radius Response: "Radius:Aruba:Aruba-User-Vlan 230"

    E4.PNGE5.PNG

     

    But on the switch we do not see the correct VLAN. Only the following:

     

    switch-stack-3# sh port-access 1/11 mac-based clients detailed

    Port Access MAC-Based Client Status Detailed

    Client Base Details :
    Port : 1/11
    Client Status : authenticated Session Time : 6 seconds
    MAC Address : 805ec0-1b84d3 Session Timeout : 0 seconds
    IP : n/a

    Access Policy Details :
    COS Map : Not Defined In Limit Kbps : Not Set
    Untagged VLAN : 1 Out Limit Kbps : Not Set
    Tagged VLANs : No Tagged VLANs
    Port Mode : 100FDx Auth Mode : User-based
    RADIUS ACL List : No Radius ACL List

    Auth Order : Not Set
    Auth Priority : Not Set
    LMA Fallback : Disabled

     

    The switch configuration looks like this:

     

    switch-stack-3# sh run | inc radius
    radius-server host 172.X.X.X key "secret"
    radius-server host 172.X.X.X dyn-authorization
    radius-server host 172.X.X.X time-window 600
    aaa authentication port-access eap-radius

     

    interface 1/11
    untagged vlan 1
    aaa port-access mac-based
    aaa port-access mac-based addr-limit 2
    aaa port-access mac-based addr-moves
    aaa port-access mac-based unauth-vid 999
    exit

     

    Has anybody an idea what could be wrong?

     

    Thanks and best regards

    Alex



  • 2.  RE: First ClearPass installation: problems with wired mac authentication
    Best Answer

    Posted Feb 05, 2019 10:37 AM

    Hi Alex

     

    Which switches are you using here? When I last checked, even though HP have rebranded their switches as Aruba, you cannot use the Aruba VSAs to send back a VLAN.

     

    Can you change your enforcement profile to return the IETF:Tunnel-Private-Group-ID with VLAN 250 instead? You may also need to add RADIUS:IETF:Tunnel-Type=VLAN and RADIUS:IETF:Tunnel-Medium-Type=IEEE802.

     

    There is an excellent document that details a lot of this stuff here: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17690



  • 3.  RE: First ClearPass installation: problems with wired mac authentication

    Posted Feb 05, 2019 10:45 AM

    Hi Dave!

     

    Thanks for your feedback! That was exactly the problem. I use Aruba 2930F switches. But you are right, they are more HP than Aruba. :-)

     

    After I switched to RADIUS:IETF everything worked properly.

     

    The PDF is very nice! Thanks a lot!

     

    Best Regards.