Security

last person joined: 11 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Profiling is happening but no RADIUS request and no log in event tracker

This thread has been viewed 0 times

  • 1.  Profiling is happening but no RADIUS request and no log in event tracker

    Posted May 30, 2019 08:54 AM

    Hello ,

    We have a wired port where we have connected a VOIP phone . the Phone is being discovered and profiled but there is no RADIUS request coming . The switch is HPE 5130 comware 7 . Below is the config

     

    radius scheme clearpass
    primary authentication 10.120.8.45 key simple “ ********* “
    secondary authentication 10.120.27.28 key simple “ ********* “ “
    primary accounting 10.120.8.45 key simple “ ********* “
    Secondary accounting 10.120.27.28 key simple “ ********* “
    accounting-on enable
    user-name-format keep-original

    domain clearpass
    authentication lan-access radius-scheme clearpass
    authorization lan-access radius-scheme clearpass
    accounting lan-access radius-scheme clearpass

    domain default enable clearpass
    radius nas-ip 10.124.22.222 // switch ip //
    radius dynamic-author server
    client ip 10.120.8.45 key simple “ “ ********* “ “
    client ip 10.120.27.28 key simple “ ********* “ “

    port-security enable
    port-security mac-move permit
    dot1x authentication-method eap
    dot1x timer supp-timeout 10
    dot1x timer tx-period 10

    Port config is ----------------------------

    interface GigabitEthernet1/0/21
    description User port
    port link-type hybrid
    port hybrid vlan 100 111 tagged
    port hybrid vlan 1 untagged
    undo voice-vlan mode auto
    voice-vlan 111 enable
    mac-vlan enable
    stp root-protection
    stp edged-port
    lldp compliance admin-status cdp txrx
    qos trust dscp
    poe enable
    undo dot1x handshake
    dot1x mandatory-domain cppm
    undo dot1x multicast-trigger
    dot1x re-authenticate
    dot1x unicast-trigger
    dot1x re-authenticate server-unreachable keep-online
    mac-authentication max-user 10
    mac-authentication domain cppm
    mac-authentication timer auth-delay 15
    mac-authentication re-authenticate server-unreachable keep-online
    mac-authentication host-mode multi-vlan
    mac-authentication parallel-with-dot1x
    port-security port-mode userlogin-secure-or-mac-ext
    loopback-detection action shutdown



  • 2.  RE: Profiling is happening but no RADIUS request and no log in event tracker

    EMPLOYEE
    Posted May 30, 2019 11:16 AM

     Check RADIUS Shared Secret configured in server is correct.



  • 3.  RE: Profiling is happening but no RADIUS request and no log in event tracker

    Posted May 30, 2019 12:04 PM

    Hi ,

     

    I checked it twice , if there is a mismatch , i should at least see it in the event tracker .

    All the firewall ports are opened .

    If a Laptop is connected to this port , i can see the request is coming to clearpass

     

    But no request when Voip phone is conncted. CPPM is identifying the VOIP Phone inprofiling . But there is no RADIUS request coming to CPPM

     

    In fact the VOIP Phone is connected and working . but there is norequest coming to RADIUS . So i suspect there is some command in the config which i pasted which is blocking VOIP phone to send RADIUS request



  • 4.  RE: Profiling is happening but no RADIUS request and no log in event tracker

    EMPLOYEE
    Posted May 30, 2019 12:15 PM

    If you do a Pcap on the uplink port of the voip and not seeing any Radius request going from VOIP, i would encourage you to open a ticket with HPE switching team. That would be a faster solution.