Security

Reply
Contributor II

Magic Packets/WOL

Hello!

 

Anyone got any experience with WOL/Magic Packets on a clearpass managed network.

 

We find it useful to wake up the computers for updates etc.

 

Anyone got it to work well with clearpass or any alternate ideas?

Contributor II

Re: Magic Packets/WOL

I think the solution is that it will not work on a CPPM management network.

New Contributor

Re: Magic Packets/WOL

As long the port is open and you can send WOL-packets I don't really see the issue. How do you define a CPPM management network? Do you mean 802.1X?

Super Contributor I

Re: Magic Packets/WOL

Hi,

 

If you are using a HPE Aruba switch you can use a feature called mac-pin and controlled-direction in so that even if the ports de-auths (PC in standby might) traffic from the server sending the WoL packet will be received by the PC and WoL should work.

 

Contact me if you need more info.

 

Cheers, Frank
Aruba Partner Ambassador| AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Contributor II

Re: Magic Packets/WOL

Sounds right!

 

The aruba guys were onsite yesterday and passed on the mac-pin technote.

 

I was using it for legacy purposes, but didn't think about using it for another purpose.

 

The downer is that only a few of our switches support 16.05 firmware, the majority are not supported anymore.

 

thanks

Re: Magic Packets/WOL

If you don't have the MAC pinning feature, many switches (and I believe the ArubaOS switches do that as well), do authentication on inbound packets (that behavior may be configurable). If authentication/port authorization is dropped, they will fall back into the default port VLAN (as in the VLAN you configured on the interface).

 

You can leverage this behavior by sending the Wake-on-Lan packets via a directed broadcast into the VLAN that is your default VLAN. The client will receive the wake-up packet, Power on, then on the first packet sent the authentication will trigger and the client will end up in the production VLAN/role.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Contributor II

Re: Magic Packets/WOL

Thank you, that is interesting and useful

 

ip directed-broadcast -apparently- allows wol across vlans on the HP switches.

 

and

 

aaa port-access <port-list> controlled-direction <both|in>

both (default): Incoming and outgoing traffic is blocked on an 802.1X-aware port before authentication occurs.

in: Incoming traffic is blocked on an 802.1X-aware port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated 802.1X-aware ports.

 

The aaa port-access controlled-direction in command allows Wake-on-LAN traffic to be transmitted on an 802.1X-aware egress port that has not yet transitioned to the 802.1X authenticated state; the controlled-direction both setting prevents Wake-on-LAN traffic to be transmitted on an 802.1X-aware egress port until authentication occurs.

 

something for me to try out :)

 

 

mkk
Contributor II

Re: Magic Packets/WOL

I test this for a customer a couple off weeks ago.

 

aaa port-access ethernet 1/1-1/48 controlled-direction in

 

this works fine, but be sure that the default vlan on the interfaces is that vlan thats been used for WOL.

Contributor II

Re: Magic Packets/WOL

Yes

It does work. Just tried it on a switch.

(but only on some computers, but there is a minefield of nic drivers, windows 10 settings and power options to enable on all of them, but that is another story)

 

Super Contributor I

Re: Magic Packets/WOL

Hi all,

 

One thing to look at. 

 

I have had devices that want to save energy by putting the NIC on 10FD in the WoL mode. Please change the setting to the value the device has when powered on (100-FD in most cases). Otherwise it could happen that when the device powers down it will change the port speed and the switch will have a port down-port up and this can impact the authentication of the port. And thus resulting in a re-auth of the port, which you don't want.

 

Hope it helps.

 

Cheers, Frank
Aruba Partner Ambassador| AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: