Security

Check if shared secret configured on clearpass is matching with controller and also check whether you have configured managment or data port IP of CPPM in controller?

Hello Pavan, 

Thanks for the reply,

I have set the secret key correctly, i just double checked, and the IP configured is the Management port IP.

Its a little strange so let me explain a little.

I have two services set up on CPPM, one for dot1x and one for mac authentication. My tests shows that I need to flip the nas ip for dot1x authentication whereas for mac authentication I dont need to flip it.

By the way, I am testing a new switch model with CPPM, its from Pica8, the model is as4610_30t, running PicOS, its a gigabit ethernet switch with dot1x and mac authentication support.

The authentication seems to go through fine and I'm also getting the desired dynamic vlan id passed to switch in the radius reply, its just that NAS IP is displayed incorrectly for dot1x authentications.

Thank You again.

Please open a case with the switch manufacturer.  It would seem that they have an endian-ness issue where they might be flipping the order of the ip address.  A packet capture between the switch and the ClearPass server would allow us to understand if it is indeed the switch or Clearpass that is flipping the ip address.

Like I said in my previous mail, I have two services, one for dot1x and one for MAB.

For dot1x authentications I noticed the following.

I did a tcpdump on the switch and find the NAS IP is 10.10.51.141 but on clear pass the log shows the following:

For MAC authentication I noticed the following:

I did a tcpdump and again noticed the NAS IP to be 10.10.51.141, the clearpass also show the NAS IP to be 10.10.51.141. So no issue for MAC authentication.

Attached are the logs for both dot1x and MAC auth.

I tried to attach pcap files but it seems files with this extension is not allowed?

It appears to me that this is a clearpass issue. Because the packet capture shows the NAS IP to be 10.10.51.141 for both dot1x and MAC auth but on clearpass its displayed as 141.51.10.10. only for dot1x.

I have added the device as 10.10.51.141, and thats the switch IP.

Can you please suggest any possible cause.

Thanks

Attachment(s)

mac-auth.txt   13 KB 1 version

dot1x-auth.txt   36 KB 1 version

You should open a TAC case to get that figured out.

EDIT:  As you know, others are also free to weigh in here, and no, it doesn't look right.

I'm sorry to have caused this confusion, the ClearPass is in the clear here, it was the switch problem, it was sending the NAS IP in the wrong order, but strangely it would do so only some times, other times the IP was in correct order, I've reported this issue to switch vendor and it should be fixed soon, many thanks to everyone.

Happy Hollidays!