In this scenario the client does not receive the correct role. It cannot complete EAP transaction.
I already made packet captures and shared it with TAC. I have a switch case, maybe I have to open a ClearPass case as well.
Original Message:
Sent: Mar 15, 2024 11:44 AM
From: Herman Robers
Subject: ClearPass rolemapping ArubaOS and CX
Do you see the correct role returned by ClearPass for devices that do successfully authenticate? That is what you originally opened this thread for.
To troubleshoot this further, it may be good to work with your Aruba partner or Aruba TAC. There is a lot of logs available, and you can run packet captures and debugging to find what is actually happening here. If you know whats going on, it's probably trivial to change the config which apparently has something misconfigured for your scenario.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Mar 14, 2024 05:35 AM
From: erik.boss
Subject: ClearPass rolemapping ArubaOS and CX
Hi ,
When connecting a client it works on both. When connecting a VOIP-phone on an Aruba OS switch and a client it works.
It does not work when I connect a client behind a VOIP-phone on a CX switch when using EAP.
EAP packets are dropped, timeouts in ClearPass. It seems that Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement NOT_EXISTS won't give the user that given role, so the client does not recieve the role configured to get on the network.
VOIP-phones are Alcatel Lucent. Any suggestions?
Original Message:
Sent: Feb 21, 2024 04:13 AM
From: CM83
Subject: ClearPass rolemapping ArubaOS and CX
These radius attributes are sent from an ArubaOS switch and not CX so can be used to distinguish between each.
Original Message:
Sent: Feb 20, 2024 10:47 AM
From: erik.boss
Subject: ClearPass rolemapping ArubaOS and CX
Thanks, seems to work on CX. Will test it tomorrow on OS.
How did you get this entry? I was searching in the request, couldn't find anything.
Regards,
Erik
Original Message:
Sent: Feb 20, 2024 10:34 AM
From: CM83
Subject: ClearPass rolemapping ArubaOS and CX
You can use Role Mapping to assign a Tips Role and then match that in your Enforcement to send back the correct config.
Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement EXISTS assign role ArubaOS-Switch
Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement NOT_EXISTS assign role ArubaCX-Switch
Original Message:
Sent: Feb 20, 2024 10:26 AM
From: erik.boss
Subject: ClearPass rolemapping ArubaOS and CX
Hi Gents,
in my project I have 30 ArubaOS switches and about 70 Aruba CX switches to authenticate user with EAP-TLS.
All switches are managed in one vlan.
The NAD devices are found by the management subnet. Is there a way to make a difference between authentication from an Aruba OS and Aruba CX switch?
ArubaOS uses for example the HPE user roles, while CX uses Aruba user roles. Creating double services is an option but how can I fix it without having much administration?
The ArubaOS switches will be replaced in 2024.
Now I have a role mapping for OS and CX switches but the enforcement is not what it must be. I receive both roles and enforcements. It's an ugly config.
Any suggestion? I was looking for a NAS ID, but I have to enter all switch names or IP-addresses into it.
I don;t want to enter all switches by hand.