Security

 View Only
last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass and Mobility Controller DUR VSA

This thread has been viewed 26 times

  • 1.  Clearpass and Mobility Controller DUR VSA

    Posted Mar 25, 2024 01:56 AM

    Dear All,

    We are trying to implement DUR (secondary role) for a number of devices.

    Clearpass is providing the information through the switch to the mobility controller but the device is not visible on the "wired clients".

    As i have tried to troubleshoot the issue , i could not find something solid.

    Could someone advice on how to perform a deeper troubleshooting?



  • 2.  RE: Clearpass and Mobility Controller DUR VSA

    EMPLOYEE
    Posted Mar 25, 2024 02:55 AM

    Are these CX switches? is your DUR working for other roles?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: Clearpass and Mobility Controller DUR VSA

    Posted Mar 25, 2024 06:31 AM

    The switches are : 

    Aruba JL322A 2930M-48G-PoE+ Switch

    with WC.17.02.0007

    The mobility controller :

    Aruba7205, Version 8.12.0.0 SSR

    show station-table :

    c8:1f:ea:xx:xx:xx  c8:1f:ea:xx:xx:xx         AAdo_VLAN_41__Avaya__DUR_MC-3166-7  00:04:53    Yes   10.2.100.59      -       1/3        No      default-tunneled-user    TUNNELED USER

    and on the gui of the MC i don't see the above devic

    e (attached image)


    Original Message


  • 4.  RE: Clearpass and Mobility Controller DUR VSA

    EMPLOYEE
    Posted Mar 27, 2024 12:21 AM

    so does DUR work? whats the output of the following commands on the switch.

    "sh port-access clients"

    "sh port-access clients detailed"



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 5.  RE: Clearpass and Mobility Controller DUR VSA

    Posted Mar 27, 2024 12:33 AM

    Yes it does ...

    Switch# sh port-access clients 1/3
    Downloaded user roles are preceded by *

     Port Access Client Status

      Port  Client Name   MAC Address       IP Address      User Role         Type
      ----- ------------- ----------------- --------------- ----------------- -----
     VLAN
     -------------------------------------------------------
      1/3   c8:1f:ea:X... c81fea-XXXXXX     n/a             *Medo_VLAN_41_... MAC
     4091

    MedoB-Entrance# sh port-access clients 1/3
    Downloaded user roles are preceded by *

     Port Access Client Status

      Port  Client Name   MAC Address       IP Address      User Role         Type
      ----- ------------- ----------------- --------------- ----------------- -----
     VLAN
     -------------------------------------------------------
      1/3   c8:1f:ea:c... c81fea-cbf436     n/a             *Medo_VLAN_41_... MAC
     4091


    Switch# sh port-access clients 1/3 detailed

     Port Access Client Status Detail

      Client Base Details :
       Port            : 1/3                   Authentication Type : 802.1x
       Client Status   : connecting            Session Time        : 0 seconds
       Client name     :                       Session Timeout     : 0 seconds
       MAC Address     : c81fea-XXXXXX
       IP              : n/a

       Auth Order      : 8021x, Mac-Auth
       Auth Priority   : Not Set
       LMA Fallback    : Disabled


      Client Base Details :
       Port            : 1/3                   Authentication Type : mac-based
       Client Status   : authenticated         Session Time        : 181 seconds
       Client Name     : c8:1f:ea:cb:f4:36     Session Timeout     : 86400 seconds
       MAC Address     : c81fea-cbf436
       IP              : n/a

       Auth Order      : 8021x, Mac-Auth
       Auth Priority   : Not Set
       LMA Fallback    : Disabled

    Downloaded user roles are preceded by *

     User Role Information

       Name                              : *Medo_VLAN_41__Avaya__DUR_SW-3164-38
       Type                              : downloaded
       Reauthentication Period (seconds) : 86400
       Cached Reauth Period (seconds)    : 0
       Logoff Period (seconds)           : 300
       Untagged VLAN                     : 4091
       Tagged VLANs                      :
       Captive Portal Profile            :
       Policy                            :
       Tunnelednode Server Redirect      : Enabled
       Secondary Role Name               : *VSA
       Device Attributes                 : Enabled
         PoE Allocation By Class         : Enabled
         PoE Priority                    : critical
         Admin-edge-port                 : Enabled
         Port-mode                       : Disabled
         Client-Limit Mac-based          :
         Client-Limit Dot1x              :



  • 6.  RE: Clearpass and Mobility Controller DUR VSA

    EMPLOYEE
    Posted 30 days ago

    ok see if the tunnel is forming and its state is enabled. on the switch you can use "sh tunnel-node-server"

    also the secondary role that you are using should be match the user-role on the controller (MC) and for now just add allow-all for it on the MC



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message