Security

last person joined: 12 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

OnConnect Intermittent Issues

This thread has been viewed 3 times

  • 1.  OnConnect Intermittent Issues

    Posted Aug 01, 2018 07:38 PM

    Hi All,

     

    I am currently implementing OnConnect Enforcement in my lab environment and it's working relatively well. I am however having some intermittent issues with our NEC DT700 series VoIP phones. OnConnect successfully categorizes the phone and applies the correct role and enforcement profile, however when I look through the alerts tab in the access tracker I get the following:

     

    SNMP Service: MAC address lookup failed for host=00-60-b9-8b-1a-98

    Enforcement failed

     

    As a result, no port change/reset is requested via SNMP to the switch. In this case, it is an Aruba 2920 running 16.06 firmware. ClearPass is on 6.7.0.

     

    I can change the port and sometimes it will work successfully, without any further changes to configuration.

     

    Any ideas? Many thanks.

     



  • 2.  RE: OnConnect Intermittent Issues

    EMPLOYEE
    Posted Aug 02, 2018 03:26 AM

    Did you follow the ClearPass Solution Guide: Wired Policy Enforcement?

     

    It has a section on OnConnect for the ArubaOS switches. From your error, there might be an issue with the SNMP traps for new MAC addresses not coming into the switch.

     

    Having said that, if you have ArubaOS switches, in 99.9% of all cases, it is better to deploy MAC authentication together with Profiler for headless devices. It has better features and works much faster as MAC Authentication is pro-active (before the device connects to the network), and OnConnect is reactive (respond to SNMP traps) which works but is not the recommended way if you can do MAC Authentication and/or 802.1X.