- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
08-23-2019 10:21 AM
Hi aruba-friends,
i´m near a nervous breakdown to be true.
But first things first.
I have 2 Problems which i don´t know how to get by.
The Environment is as follows:
1x Aruba 2930F with DUR for 802.1x and MAC-Auth
1x IGEL Thinclient (Port 3)
1x PC (Windows 10 with PKI certificate) (Port 4)
1x Extreme Networks access-point (please don´t throw rocks) (Port 7)
1x MSM 460 AP (Port 6)
1x Clearpass-Cluster
The Switch has Firmware 16.09.003
1st Problem:
The Ports on the switch are configured as authenticator and mac-based.
The Ports are configured as authenticator with "no" client limit which means configured in "port-based" mode.
Problem:
The clients get authenticated by cppm but the client isn´t able to receive a dhcp lease.
Putting the port in "user-based" with "client-limit 1" solves the problem and the client get´s authenticated also but can request a dhcp lease.
There are no restricting ACL involved on the cppm.
Question:
Shouldn´t this be the exactly behavior in port based mode also?
Problem 2:
Actually we use HP MSM and Extreme network APs in our environment.
The APs are MAC-authenticated.
Manually configured (and without DUR) this looks like this:
vlan xxx untagged int 1 (where the access-point is managed)
vlan yyy tagged 1 (Breakout-VLAN for a specific SSID)
vlan zzz tagged 1 (Breakout-VLAN for another specific SSID)
The clients connecting to the specified VLANs get authenticated against our old radius server.
As soon as i enable mac-auth in the port and the AP getting the same vlan tag/untag config as DUR all clients connected to the AP try to authenticate against cppm which should not happen at the moment.
So the Radius requests are sent to the cppm instead of the AP configured radius server.
This can be usefull in sometimes later - but right now i just want my port to put the AP only dynamicly into the right tagged/untagged vlan configuration without trying to do the client radius authentication.
Plz help!
Here are my Port-Config snippets:
To Problem 1/2 - as an Example:
interface 1
untagged vlan 666
lldp admin-status disable
no cdp enable
aaa port-access authenticator
aaa port-access mac-based
aaa port-access mac-based addr-moves
aaa port-access auth-order authenticator mac-based
aaa port-access auth-priority authenticator mac-based
loop-protect
exit
port-access summary:
| Authenticator | Web Auth | MAC Auth | Local MAC
Port | Enable Mode Limit | Enable Limit | Enable Mode Limit | Enable Limit
----- - ------ ----- ----- - ------ ----- - ------ ----- ----- - ------ -----
1 | Yes Port 0 | No 1 | Yes User 1 | No 1
2 | Yes Port 0 | No 1 | Yes User 1 | No 1
As you can see at port 5/6 the both MSM and Extreme APs also submit the Wifi-Adapters MAC-Address which is "nuts" ...
And as you can see, the clients on 3/4 received the correct cppm profile - but aren´t able to get an ip address.
If i configure the ports as "user-mode" they get an ip at once.
(aaa port-access authenticator 3,4 client limit 1)
Regards
Hec
- What the hec?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
08-27-2019 07:03 AM
Hi Hec,
Very strange for port-mode, do you are sure, there is no ACL ? (and correct untagged vlan ?)
for Access Point, with CPPM 6.8 and SW 16.08, there is a device port mode on DUR
You can look : https://community.arubanetworks.com/t5/Security/CPPM-downloadable-user-roles-and-PORT-based-auth/td-p/534999
PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)
PowerArubaIAP: Powershell Module to use Aruba Instant AP
PowerArubaMC: Powershell Module to use Mobility Controller / Master
ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: 2930F not getting ip-address for DUR Role client on authenticator Port in port-mode
08-27-2019 12:31 PM
Hi alagoutte,
thanks for the hint with the port mode for the access-point. Changed my config on the clearpass and will check tomorrow morning if this did the trick :)
The port-mode thing for the 802.1x authenticated ports where devices don´t get a lease are really quite strange. Opened a ticket with TAC-Team and hope to get answers regarding this question.
Thanks for the AP help. Seems like this will do the trick because the problem seems to be the same :)
Will report back ;)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: 2930F not getting ip-address for DUR Role client on authenticator Port in port-mode
08-27-2019 01:18 PM
Funny...
the solution for the AP is the same solution fixing my port-mode-client problems with my fat clients not getting propper IP
The ports themself are configured as:
no aaa port-access authenticator client-limit
The result is as described:
port-access summary shows:
After applying the port mode extra at the DUR it was applied through the DUR and guess what...
... The clients got their IPs again...
The only thing which bothers me now are the 802.1x auths which seem to stay open - even if the APs (on port 5,6) are MAC-Authenticated.
Will check wireless-client behavior tomorrow.
But thank you for your marvellous hint!
Regards
Hec
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator