02-04-2019 08:20 AM
today I made my first expierience with Aruba Clearpass.
At first I would like to use a simple wired mac authentication configuration.
If an endpoint has a special attribut, e.g. "VOIP" he will receive a special VLAN and the session will be authenticated on the switch port.
I already created the roles, role mappings, profiles and a policy.
In the access tracker we can see, that the client on the switch has been authenticated successfully and that the correct VLAN has been send to the switch: Radius Response: "Radius:Aruba:Aruba-User-Vlan 230"
But on the switch we do not see the correct VLAN. Only the following:
switch-stack-3# sh port-access 1/11 mac-based clients detailed
Port Access MAC-Based Client Status Detailed
Client Base Details :
Port : 1/11
Client Status : authenticated Session Time : 6 seconds
MAC Address : 805ec0-1b84d3 Session Timeout : 0 seconds
IP : n/a
Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : 1 Out Limit Kbps : Not Set
Tagged VLANs : No Tagged VLANs
Port Mode : 100FDx Auth Mode : User-based
RADIUS ACL List : No Radius ACL List
Auth Order : Not Set
Auth Priority : Not Set
LMA Fallback : Disabled
The switch configuration looks like this:
switch-stack-3# sh run | inc radius
radius-server host 172.X.X.X key "secret"
radius-server host 172.X.X.X dyn-authorization
radius-server host 172.X.X.X time-window 600
aaa authentication port-access eap-radius
untagged vlan 1
aaa port-access mac-based
aaa port-access mac-based addr-limit 2
aaa port-access mac-based addr-moves
aaa port-access mac-based unauth-vid 999
Has anybody an idea what could be wrong?
Thanks and best regards
Solved! Go to Solution.
02-05-2019 07:36 AM
Which switches are you using here? When I last checked, even though HP have rebranded their switches as Aruba, you cannot use the Aruba VSAs to send back a VLAN.
Can you change your enforcement profile to return the IETF:Tunnel-Private-Group-ID with VLAN 250 instead? You may also need to add RADIUS:IETF:Tunnel-Type=VLAN and RADIUS:IETF:Tunnel-Medium-Type=IEEE802.
There is an excellent document that details a lot of this stuff here: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17690
Re: First ClearPass installation: problems with wired mac authentication
02-05-2019 07:44 AM
Thanks for your feedback! That was exactly the problem. I use Aruba 2930F switches. But you are right, they are more HP than Aruba. :-)
After I switched to RADIUS:IETF everything worked properly.
The PDF is very nice! Thanks a lot!