Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass and Mobility Controller DUR VSA

This thread has been viewed 26 times

  • 1.  Clearpass and Mobility Controller DUR VSA

    Posted Mar 25, 2024 01:56 AM

    Dear All,

    We are trying to implement DUR (secondary role) for a number of devices.

    Clearpass is providing the information through the switch to the mobility controller but the device is not visible on the "wired clients".

    As i have tried to troubleshoot the issue , i could not find something solid.

    Could someone advice on how to perform a deeper troubleshooting?



  • 2.  RE: Clearpass and Mobility Controller DUR VSA

    EMPLOYEE
    Posted Mar 25, 2024 02:55 AM

    Are these CX switches? is your DUR working for other roles?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: Clearpass and Mobility Controller DUR VSA

    Posted Mar 25, 2024 06:31 AM

    The switches are : 

    Aruba JL322A 2930M-48G-PoE+ Switch

    with WC.17.02.0007

    The mobility controller :

    Aruba7205, Version 8.12.0.0 SSR

    show station-table :

    c8:1f:ea:xx:xx:xx  c8:1f:ea:xx:xx:xx         AAdo_VLAN_41__Avaya__DUR_MC-3166-7  00:04:53    Yes   10.2.100.59      -       1/3        No      default-tunneled-user    TUNNELED USER

    and on the gui of the MC i don't see the above devic

    e (attached image)


    Original Message


  • 4.  RE: Clearpass and Mobility Controller DUR VSA

    EMPLOYEE
    Posted Mar 27, 2024 12:21 AM

    so does DUR work? whats the output of the following commands on the switch.

    "sh port-access clients"

    "sh port-access clients detailed"



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 5.  RE: Clearpass and Mobility Controller DUR VSA

    Posted Mar 27, 2024 12:33 AM

    Yes it does ...

    Switch# sh port-access clients 1/3
    Downloaded user roles are preceded by *

     Port Access Client Status

      Port  Client Name   MAC Address       IP Address      User Role         Type
      ----- ------------- ----------------- --------------- ----------------- -----
     VLAN
     -------------------------------------------------------
      1/3   c8:1f:ea:X... c81fea-XXXXXX     n/a             *Medo_VLAN_41_... MAC
     4091

    MedoB-Entrance# sh port-access clients 1/3
    Downloaded user roles are preceded by *

     Port Access Client Status

      Port  Client Name   MAC Address       IP Address      User Role         Type
      ----- ------------- ----------------- --------------- ----------------- -----
     VLAN
     -------------------------------------------------------
      1/3   c8:1f:ea:c... c81fea-cbf436     n/a             *Medo_VLAN_41_... MAC
     4091


    Switch# sh port-access clients 1/3 detailed

     Port Access Client Status Detail

      Client Base Details :
       Port            : 1/3                   Authentication Type : 802.1x
       Client Status   : connecting            Session Time        : 0 seconds
       Client name     :                       Session Timeout     : 0 seconds
       MAC Address     : c81fea-XXXXXX
       IP              : n/a

       Auth Order      : 8021x, Mac-Auth
       Auth Priority   : Not Set
       LMA Fallback    : Disabled


      Client Base Details :
       Port            : 1/3                   Authentication Type : mac-based
       Client Status   : authenticated         Session Time        : 181 seconds
       Client Name     : c8:1f:ea:cb:f4:36     Session Timeout     : 86400 seconds
       MAC Address     : c81fea-cbf436
       IP              : n/a

       Auth Order      : 8021x, Mac-Auth
       Auth Priority   : Not Set
       LMA Fallback    : Disabled

    Downloaded user roles are preceded by *

     User Role Information

       Name                              : *Medo_VLAN_41__Avaya__DUR_SW-3164-38
       Type                              : downloaded
       Reauthentication Period (seconds) : 86400
       Cached Reauth Period (seconds)    : 0
       Logoff Period (seconds)           : 300
       Untagged VLAN                     : 4091
       Tagged VLANs                      :
       Captive Portal Profile            :
       Policy                            :
       Tunnelednode Server Redirect      : Enabled
       Secondary Role Name               : *VSA
       Device Attributes                 : Enabled
         PoE Allocation By Class         : Enabled
         PoE Priority                    : critical
         Admin-edge-port                 : Enabled
         Port-mode                       : Disabled
         Client-Limit Mac-based          :
         Client-Limit Dot1x              :



  • 6.  RE: Clearpass and Mobility Controller DUR VSA

    EMPLOYEE
    Posted Mar 28, 2024 02:51 AM

    ok see if the tunnel is forming and its state is enabled. on the switch you can use "sh tunnel-node-server"

    also the secondary role that you are using should be match the user-role on the controller (MC) and for now just add allow-all for it on the MC



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message