Security

Reply
New Contributor

First ClearPass installation: problems with wired mac authentication

Dear community,

 

today I made my first expierience with Aruba Clearpass.

At first I would like to use a simple wired mac authentication configuration.

 

If an endpoint has a special attribut, e.g. "VOIP" he will receive a special VLAN and the session will be authenticated on the switch port.

 

I already created the roles, role mappings, profiles and a policy.

E1.PNG

E2.PNG

E3.PNG

In the access tracker we can see, that the client on the switch has been authenticated successfully and that the correct VLAN has been send to the switch: Radius Response: "Radius:Aruba:Aruba-User-Vlan 230"

E4.PNGE5.PNG

 

But on the switch we do not see the correct VLAN. Only the following:

 

switch-stack-3# sh port-access 1/11 mac-based clients detailed

Port Access MAC-Based Client Status Detailed

Client Base Details :
Port : 1/11
Client Status : authenticated Session Time : 6 seconds
MAC Address : 805ec0-1b84d3 Session Timeout : 0 seconds
IP : n/a

Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : 1 Out Limit Kbps : Not Set
Tagged VLANs : No Tagged VLANs
Port Mode : 100FDx Auth Mode : User-based
RADIUS ACL List : No Radius ACL List

Auth Order : Not Set
Auth Priority : Not Set
LMA Fallback : Disabled

 

The switch configuration looks like this:

 

switch-stack-3# sh run | inc radius
radius-server host 172.X.X.X key "secret"
radius-server host 172.X.X.X dyn-authorization
radius-server host 172.X.X.X time-window 600
aaa authentication port-access eap-radius

 

interface 1/11
untagged vlan 1
aaa port-access mac-based
aaa port-access mac-based addr-limit 2
aaa port-access mac-based addr-moves
aaa port-access mac-based unauth-vid 999
exit

 

Has anybody an idea what could be wrong?

 

Thanks and best regards

Alex

Occasional Contributor II

Re: First ClearPass installation: problems with wired mac authentication

Hi Alex

 

Which switches are you using here? When I last checked, even though HP have rebranded their switches as Aruba, you cannot use the Aruba VSAs to send back a VLAN.

 

Can you change your enforcement profile to return the IETF:Tunnel-Private-Group-ID with VLAN 250 instead? You may also need to add RADIUS:IETF:Tunnel-Type=VLAN and RADIUS:IETF:Tunnel-Medium-Type=IEEE802.

 

There is an excellent document that details a lot of this stuff here: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17690

New Contributor

Re: First ClearPass installation: problems with wired mac authentication

Hi Dave!

 

Thanks for your feedback! That was exactly the problem. I use Aruba 2930F switches. But you are right, they are more HP than Aruba. :-)

 

After I switched to RADIUS:IETF everything worked properly.

 

The PDF is very nice! Thanks a lot!

 

Best Regards.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: