Security

Reply
Contributor I

NAS IP shown at clearpass is in the wrong order

Hello, 
 
The NAS IP address sent in the radius request is flipped at Clearpass server, say my NAS IP is 1.2.3.4 then on the clearpass i'm seeing the following error, unknown client 4.3.2.1. I confirmed with tcpdum that the nas ip is 1.2.3.4 but somehow clearpass is changing the order.
 
Any idea how I can fix this?
 
Thanks
Ali
MVP Guru

Re: NAS IP shown at clearpass is in the wrong order

Check if shared secret configured on clearpass is matching with controller and also check whether you have configured managment or data port IP of CPPM in controller?

Regards,
Pavan
If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: NAS IP shown at clearpass is in the wrong order

Hello Pavan, 

 

Thanks for the reply,

 

I have set the secret key correctly, i just double checked, and the IP configured is the Management port IP.

Its a little strange so let me explain a little.

 

I have two services set up on CPPM, one for dot1x and one for mac authentication. My tests shows that I need to flip the nas ip for dot1x authentication whereas for mac authentication I dont need to flip it.

 

By the way, I am testing a new switch model with CPPM, its from Pica8, the model is as4610_30t, running PicOS, its a gigabit ethernet switch with dot1x and mac authentication support.

 

The authentication seems to go through fine and I'm also getting the desired dynamic vlan id passed to switch in the radius reply, its just that NAS IP is displayed incorrectly for dot1x authentications.

 

Thank You again.

Guru Elite

Re: NAS IP shown at clearpass is in the wrong order

Please open a case with the switch manufacturer.  It would seem that they have an endian-ness issue where they might be flipping the order of the ip address.  A packet capture between the switch and the ClearPass server would allow us to understand if it is indeed the switch or Clearpass that is flipping the ip address.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: NAS IP shown at clearpass is in the wrong order

 

Like I said in my previous mail, I have two services, one for dot1x and one for MAB.

For dot1x authentications I noticed the following.

I did a tcpdump on the switch and find the NAS IP is 10.10.51.141 but on clear pass the log shows the following:

For MAC authentication I noticed the following:

I did a tcpdump and again noticed the NAS IP to be 10.10.51.141, the clearpass also show the NAS IP to be 10.10.51.141. So no issue for MAC authentication.

Attached are the logs for both dot1x and MAC auth.

 

 

I tried to attach pcap files but it seems files with this extension is not allowed?

 

It appears to me that this is a clearpass issue. Because the packet capture shows the NAS IP to be 10.10.51.141 for both dot1x and MAC auth but on clearpass its displayed as 141.51.10.10. only for dot1x.

I have added the device as 10.10.51.141, and thats the switch IP.

 

Can you please suggest any possible cause.

 

Thanks

 

 

Guru Elite

Re: NAS IP shown at clearpass is in the wrong order

You should open a TAC case to get that figured out.

EDIT:  As you know, others are also free to weigh in here, and no, it doesn't look right.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: NAS IP shown at clearpass is in the wrong order

I'm sorry to have caused this confusion, the ClearPass is in the clear here, it was the switch problem, it was sending the NAS IP in the wrong order, but strangely it would do so only some times, other times the IP was in correct order, I've reported this issue to switch vendor and it should be fixed soon, many thanks to everyone.

Happy Hollidays!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: