Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

help required debugging an airgroup issue

This thread has been viewed 1 times

  • 1.  help required debugging an airgroup issue

    Posted Apr 03, 2019 06:51 AM

    On my dev setup ( mobility controller + 2 node clearpass cluster) 

    if I do a "sh airgroup cppm e" command, I see the "ClearPass Guest Device Registration Information " table.

     

    When I'm sitting in another building on another network, this command shows me 2 devices, a chromecat  video device and an Amazon Fire TV device.

     

    When I walk back to my building and run the command again, I see the above 2 plus all the devices I had on me when I walked in, ( iphone, android phone, macbook air plus the two mentioned earlier.

     

    On our production network, I've conected a Chromecast Video device.

    From this building running "sh airgroup cppm e" again, I see only the chromecast device.

    Unfortunately, when on the production network , runnig the command stil only shows me the Chromecast Video device, I don;t see entries for the iPhone, android phone  or macbook air

     

    I *think* both systems are configured the same, with the exception of different RADIUS servers .

     

    What sort of debugging can I switch on on the mobility controller to see how cppm guest registration info is proccessed , The clearpass guest Airgroup debug stuff seems useless.

     

    Clearpass guest is configured to send Airgroup CoA stuff out the management  port

     



  • 2.  RE: help required debugging an airgroup issue

    EMPLOYEE
    Posted Apr 03, 2019 02:30 PM

    May I know which devices are added in ClearPass Guest device repository? you should be adding AirGroup Servers in ClearPass guest device repository with sharing details.

     

    Enteries in controller should be populated based on successful authorisation from ClearPass. Ideally, you should only be able to see AirGroup Servers (Apple TV, Fire TV etc) in controller cppm entries table.

     

    Regards,

    Pranav



  • 3.  RE: help required debugging an airgroup issue

    Posted Apr 04, 2019 05:21 AM

    >May I know which devices are added in ClearPass Guest device >repository? you should be adding AirGroup Servers in ClearPass guest >device repository with sharing details.

     

    Yup thats what I'm doing.

     

    >Enteries in controller should be populated based on successful >authorisation from ClearPass. Ideally, you should only be able to see >AirGroup Servers (Apple TV, Fire TV etc) in controller cppm entries table.

     

    Got different results on different setups.

     

    On my dev system, which consists of a clustered pair of mobility controllers and a 2 node clearpass cluster, I register devices in clearpass guest and enable airgroup_enable and airgroup_shared_user=<userid list>

    "sh airgroup cppm ent" shows all airgroup devices,including airgroup clients that have a succcessful auth from clearpass.

     

    On my prodn one, I can see just the airgroup server entries and not any clients.

    However if I run "show airgroup cppm-server rfc3576 statistics" on the controller I also see 

     

    Airgroup RFC3576 Statistics
    ---------------------------
    Server Disc Req No Secret Bad Auth Invld Req Pkts Dropped Unknown service CoA Req CoA Acc CoA Rej No perm
    ------ -------- --------- -------- --------- ------------ --------------- ------- ------- ------- -------
    ....
    RFC3576 port number : 5999
    Packets received from unknown clients : 12
    Packets received with unknown request : 0
    Total RFC3576 packets Received : 14

     

    Which makes me suspect I've got something wrong with the shared key in my rfc server definitions as I shouldn't see any packets from unknown clients