Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Contributor II

ArubaOS Switch profile manager

Hi airheads,

 

I'm trying to use device profiling for APs so that I don't have to authenticate them using clearpass. I have the following in my config on a 2930F.

 

device-profile name "cowaruba-ap"
   untagged-vlan 236
   poe-priority high
   exit
device-profile type "aruba-ap"
   associate "cowaruba-ap"
   enable
   exit

I'm also using MAC auth and 802.1x on edge ports for auth. The problem is that when I plug in an AP, with debugging on I see the following:

W 11/01/18 09:36:20 05142 profile-manager: ST1-CMDR: Profile manager application failed on port 1/6 as it conflicts with RADIUS configuration.

 

Can I really not use both 802.1x and profile-manager together?


Mike Naylor
The College of Wooster

Accepted Solutions
Highlighted
Moderator

Re: ArubaOS Switch profile manager

You can just write rules based on the profile data. Combination of profile + MAC vendor and assign an “ap” role that only lets them talk to controllers.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post


All Replies
Highlighted
Moderator

Re: ArubaOS Switch profile manager

You really should be using EAP-TLS with your Aruba APs to ClearPass.

Using device profiles opens a potential security hole and you have conflicting authoritative access control at the edge of the network.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Contributor II

Re: ArubaOS Switch profile manager

I've never thought of using EAP-TLS for AP auth. Is there a technote or write-up on that?


Mike Naylor
The College of Wooster
Highlighted
Moderator

Re: ArubaOS Switch profile manager

Are you running ArubaOS 8.2 or higher?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Contributor II

Re: ArubaOS Switch profile manager

AOS 8.2.1


Mike Naylor
The College of Wooster
Highlighted
Moderator

Re: ArubaOS Switch profile manager

Since you haven't yet deployed this, I would recommend waiting until 8.4 is released to make these changes if at all possible.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Contributor II

Re: ArubaOS Switch profile manager

In the mean time, how should I auth my APs at the switch? I would rather not import all 1500 MAC addresses into clearpass.


Mike Naylor
The College of Wooster
Highlighted
Moderator

Re: ArubaOS Switch profile manager

You can just write rules based on the profile data. Combination of profile + MAC vendor and assign an “ap” role that only lets them talk to controllers.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post

Highlighted
Contributor II

Re: ArubaOS Switch profile manager

Understood. When 8.4 is released, will there be (or is there now) documentation for the TLS auth?


Mike Naylor
The College of Wooster
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: