Aruba Apps

We are using CP for authentication onto our wireless system and our Mobility devices (MCr/MM n MC/MDs) and for CP itself.

I now want to add Airwave authentication via Radius to CP.  However, this is currently failing w/ a general Radius error.

When I authentication into our MCr cluster, I see an entry in CP that shows the NAS-PORT-TYPE = 5
When I authentication into our Airwave, I see an entry in CP that shows the NAS-PORT-TYPE = 15

CP is configured (by our original consultant) to leverage NAS-PORT-TYPE = 15 for "wired" clients on our building networks.

The Airwave auth is matching this and trying to authenticate w/ 802.1x Certificate information (which does not exist on Airwave.
Basically, it is matching into the wrong "Services" object.

Is it possible to have Airwave use NAP-PORT-TYPE = 5, like the Mobility devices all use?

Thanks,
MIke

You probably want/need a separate service in ClearPass for AIrwave, where you can put that before the conflicting service and have a service matching rule for the NAS-IP of your Airwave, or for Port-Type 15.

Also, you could consider the Airwave Admin authentication via TACACS+, but RADIUS should probably work with a separate service.

Airwave would need the Admin Role to be returned, where your 802.1X returns user-roles, which is why you probably would need a separate service; and besides that you in general cannot change the port-type on devices/servers, it probably won't help you here.

I'd recommend to go back to your consultant, or find another consultant with your Aruba partner unless you understand how ClearPass works.

We are using CP for authentication onto our wireless system and our Mobility devices (MCr/MM n MC/MDs) and for CP itself.

I now want to add Airwave authentication via Radius to CP.  However, this is currently failing w/ a general Radius error.

When I authentication into our MCr cluster, I see an entry in CP that shows the NAS-PORT-TYPE = 5
When I authentication into our Airwave, I see an entry in CP that shows the NAS-PORT-TYPE = 15

CP is configured (by our original consultant) to leverage NAS-PORT-TYPE = 15 for "wired" clients on our building networks.

The Airwave auth is matching this and trying to authenticate w/ 802.1x Certificate information (which does not exist on Airwave.
Basically, it is matching into the wrong "Services" object.

Is it possible to have Airwave use NAP-PORT-TYPE = 5, like the Mobility devices all use?

Thanks,
MIke

You probably want/need a separate service in ClearPass for AIrwave, where you can put that before the conflicting service and have a service matching rule for the NAS-IP of your Airwave, or for Port-Type 15.

Also, you could consider the Airwave Admin authentication via TACACS+, but RADIUS should probably work with a separate service.

Airwave would need the Admin Role to be returned, where your 802.1X returns user-roles, which is why you probably would need a separate service; and besides that you in general cannot change the port-type on devices/servers, it probably won't help you here.

I'd recommend to go back to your consultant, or find another consultant with your Aruba partner unless you understand how ClearPass works.

We are using CP for authentication onto our wireless system and our Mobility devices (MCr/MM n MC/MDs) and for CP itself.

I now want to add Airwave authentication via Radius to CP.  However, this is currently failing w/ a general Radius error.

When I authentication into our MCr cluster, I see an entry in CP that shows the NAS-PORT-TYPE = 5
When I authentication into our Airwave, I see an entry in CP that shows the NAS-PORT-TYPE = 15

CP is configured (by our original consultant) to leverage NAS-PORT-TYPE = 15 for "wired" clients on our building networks.

The Airwave auth is matching this and trying to authenticate w/ 802.1x Certificate information (which does not exist on Airwave.
Basically, it is matching into the wrong "Services" object.

Is it possible to have Airwave use NAP-PORT-TYPE = 5, like the Mobility devices all use?

Thanks,
MIke

Ah, that may be why I prefer to start with the admin services on top of my service list.

Yes, you can go through a a feature request (innovate.arubanetworks.com), if you can't in a different way change the service rules or service order, or change to TACACS for the Airwave admin authentication.

You probably want/need a separate service in ClearPass for AIrwave, where you can put that before the conflicting service and have a service matching rule for the NAS-IP of your Airwave, or for Port-Type 15.

Also, you could consider the Airwave Admin authentication via TACACS+, but RADIUS should probably work with a separate service.

Airwave would need the Admin Role to be returned, where your 802.1X returns user-roles, which is why you probably would need a separate service; and besides that you in general cannot change the port-type on devices/servers, it probably won't help you here.

I'd recommend to go back to your consultant, or find another consultant with your Aruba partner unless you understand how ClearPass works.

We are using CP for authentication onto our wireless system and our Mobility devices (MCr/MM n MC/MDs) and for CP itself.

I now want to add Airwave authentication via Radius to CP.  However, this is currently failing w/ a general Radius error.

When I authentication into our MCr cluster, I see an entry in CP that shows the NAS-PORT-TYPE = 5
When I authentication into our Airwave, I see an entry in CP that shows the NAS-PORT-TYPE = 15

CP is configured (by our original consultant) to leverage NAS-PORT-TYPE = 15 for "wired" clients on our building networks.

The Airwave auth is matching this and trying to authenticate w/ 802.1x Certificate information (which does not exist on Airwave.
Basically, it is matching into the wrong "Services" object.

Is it possible to have Airwave use NAP-PORT-TYPE = 5, like the Mobility devices all use?

Thanks,
MIke

Hi Herman,

TY U for the reply.  I always appreciate your posts (and I learned a lot from your Aruba videos back in 2019.)

Re: Rule order, the consultant setup things up w/ the User rules on top and Admin below, so that is why I want the rule below (to stay grouped), but as you have wisely mentioned, I will consider moving the group up.  I have not really thought about it.  Something for me to ponder.

As for this issue, I finally received a reply from a level II member in Tech indicating I should use peap-MSCHAPv2 vs. PAP.    PAP will return 15 while peap-MSCHAPv2 will return 5 (the value I am looking for). 

I will look into this change and once implemented, I will post results/findings back to this community.
Thanks again.
Mike

Ah, that may be why I prefer to start with the admin services on top of my service list.

Yes, you can go through a a feature request (innovate.arubanetworks.com), if you can't in a different way change the service rules or service order, or change to TACACS for the Airwave admin authentication.

You probably want/need a separate service in ClearPass for AIrwave, where you can put that before the conflicting service and have a service matching rule for the NAS-IP of your Airwave, or for Port-Type 15.

Also, you could consider the Airwave Admin authentication via TACACS+, but RADIUS should probably work with a separate service.

Airwave would need the Admin Role to be returned, where your 802.1X returns user-roles, which is why you probably would need a separate service; and besides that you in general cannot change the port-type on devices/servers, it probably won't help you here.

I'd recommend to go back to your consultant, or find another consultant with your Aruba partner unless you understand how ClearPass works.

We are using CP for authentication onto our wireless system and our Mobility devices (MCr/MM n MC/MDs) and for CP itself.

I now want to add Airwave authentication via Radius to CP.  However, this is currently failing w/ a general Radius error.

When I authentication into our MCr cluster, I see an entry in CP that shows the NAS-PORT-TYPE = 5
When I authentication into our Airwave, I see an entry in CP that shows the NAS-PORT-TYPE = 15

CP is configured (by our original consultant) to leverage NAS-PORT-TYPE = 15 for "wired" clients on our building networks.

The Airwave auth is matching this and trying to authenticate w/ 802.1x Certificate information (which does not exist on Airwave.
Basically, it is matching into the wrong "Services" object.

Is it possible to have Airwave use NAP-PORT-TYPE = 5, like the Mobility devices all use?

Thanks,
MIke