Security

My appologies if this is in the wrong forum but i'm having issues with macAuth on a 2530 where the switch fails to assign a vlan once the host passes authentication. ClearPass Access tracker shows that the host is using the correct service policy and the enforcement profile is assigning the correct vlan but then the accounting tab of access tracker shows NAS-Error for the termination clause.

I'm getting a log entry on the switch of:

W 04/17/19 14:22:54 02400 dca: macAuth client, RADIUS-assigned VID validation
error. MAC 00104932DB18 port 1 VLAN-Id 0 or unknown.

Thanks

Attachment(s)

switch3.txt   3 KB 1 version

 Hello if the Clearpass says a Auth success and returning the proper VLAN/Role, please check on the switch for this user if it has a VLAN or role post auth. If that is correct, we need to check the config on the switch related to that Vlan.

I would encourage you to open a Switch case, to solve it sooner.

What is the attribute that you return in ClearPass? For VLAN assignment on the switch, you should use the VLAN enforcement template that uses the IETF Tunnel-Private-Group-Id, Tunnel-Type, Tunnel-Media-Type, and Termination-Action attributes. Or the HPE-Egress-VLAN-ID would work as an alternative. The Aruba-User-VLAN attribute is supported by Instant, Controller and Branch Gateway only.

I solved the issue with MacAuth failing to assign the correct vlan.

ClearPass had the vlan name as VoIP.  I had defined the vlan name on the switch as VOIP.  ClearPass was sending a command for a vlan that didn't exist.

Silly mistake that I blew past several times until let it sit for a bit and went back with fresh eyes.

 I solved similar case and it was all about conversion from hexa to decimal, 

My case was to assign tagged vlan ID = 3 

the mistake i was made: 

0x310003  ---> convert to decimal --> 3211267

and this is the right way to convert: 

0x31000003  --->  convert to decimal --> 822083587