redacted config:
system {
host-name Mark-Test;
root-authentication {
encrypted-password "123123123123123"; ## SECRET-DATA
}
login {
services {
ssh {
root-login allow;
protocol-version v2;
max-sessions-per-connection 64;
}
netconf {
ssh;
}
}
auto-snapshot;
domain-name state.sd.us;
time-zone cst6cdt;
no-redirects;
arp {
aging-timer 5;
}
name-server {
x.x.x.x;
}
syslog {
user * {
any emergency;
}
host x.x.x.x {
any any;
}
file cli-commands {
interactive-commands any;
archive size 5m files 20;
}
file config-changes {
change-log info;
archive size 5m files 20;
}
file default-log-messages {
any any;
match "(FRU Offline)|(FRU Online)|(FRU insertion)|(FRU power)|(FRU removal)|(commit complete)|(copying configuration to juniper.save)|(license add)|(license delete)|(link UP)|(package -X delete)|(package -X update)|(plugged in)|(requested 'commit synchronize' operation)|(requested 'commit' operation)|(unplugged)|Transferred|ifAdminStatus|transfer-file|transitioned| LFMD_3AH | RPD_MPLS_PATH_BFD|(Backup changed)|(Backup detected)|(Master Changed, Members Changed)|(Master Detected, Members Changed)|(Master Unchanged, Members Changed)|(Master changed)|(Master detected)|(interface vcp-)|(vc add)|(vc delete)|CFMD_CCM_DEFECT|(AIS_DATA_AVAILABLE)|BR_INFRA_DEVICE";
structured-data;
}
file errors {
any error;
explicit-priority;
}
file interactive-commands {
interactive-commands any;
}
file messages {
any notice;
authorization info;
archive size 5m files 20;
}
file router-firewall {
firewall any;
}
}
ntp {
server x.x.x.x prefer;
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
interface-range Trunks {
member ge-0/0/11;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 ];
}
storm-control default;
}
}
}
interface-range Switch {
member-range ge-0/0/0 to ge-0/0/10;
description "State Network";
unit 0 {
family ethernet-switching {
interface-mode access;
storm-control default;
}
}
}
irb {
unit 10 {
description "State Network";
family inet {
address x.x.x.x/24;
}
}
}
lo0 {
unit 0 {
family inet;
}
}
}
snmp {
contact "xxxx";
client-list sdn-snmp {
x.x.x.x;
}
community sdbit {
client-list-name sdn-snmp;
}
trap-options;
trap-group sdn-traps {
version v2;
categories {
authentication;
chassis;
link;
routing;
startup;
rmon-alarm;
vrrp-events;
}
targets {
x.x.x.x;
}
}
}
forwarding-options {
storm-control-profiles default {
all;
}
dhcp-relay {
forward-snooped-clients all-interfaces;
overrides {
trust-option-82;
delete-binding-on-renegotiation;
}
server-group {
dhcp-dot1x {
x.x.x.x;
}
}
active-server-group dhcp-dot1x;
group all {
interface ge-0/0/11.0;
interface irb.0;
}
}
}
access {
radius-server {
x.x.x.x {
dynamic-request-port 3799;
secret "123123123123"; ## SECRET-DATA
source-address x.x.x.x;
}
}
profile CP-BITs-Profile {
accounting-order radius;
authentication-order radius;
radius {
authentication-server x.x.x.x;
accounting-server x.x.x.x;
}
}
}
routing-options {
graceful-restart;
static {
route 0.0.0.0/0 next-hop x.x.x.x;
}
}
protocols {
dot1x {
authenticator {
authentication-profile-name CP-BITs-Profile;
interface {
Switch {
supplicant multiple;
mac-radius {
authentication-protocol {
pap;
}
}
}
}
}
}
lldp {
interface all;
}
lldp-med {
interface all;
}
igmp-snooping {
vlan default;
}
vstp {
interface all;
vlan all;
}
}
switch-options {
voip {
interface access-ports {
vlan vlan11;
forwarding-class assured-forwarding;
}
}
}
poe {
interface all;
interface Trunks {
disable;
}
}
vlans {
vlan10 {
description "Network";
vlan-id 10;
l3-interface irb.10;
}
vlan11 {
description VoIP;
vlan-id 11;
}
vlan12 {
description "Non-Domain State Device Without Internet Access";
vlan-id 12;
}
vlan13 {
description "Non-Domain State Device With Internet Access";
vlan-id 13;
}
vlan14 {
description "Non-State Users Without Internet Access";
vlan-id 14;
}
vlan15 {
description "Non-State Users With Internet Access";
vlan-id 15;
}
}
Original Message:
Sent: Nov 01, 2022 02:02 PM
From: Unknown User
Subject: Colorless ports with Clearpass and Juniper
added snippet of enforcement profile, dot1x command, and switch vlans. Uploading... Upload file
Original Message:
Sent: Nov 01, 2022 12:21 PM
From: Unknown User
Subject: Colorless ports with Clearpass and Juniper
not quite the same. That post is discussing the approval/enforcement. It doesn't send the vlan tag back to the switch.
Original Message:
Sent: Nov 01, 2022 09:07 AM
From: Herman Robers
Subject: Colorless ports with Clearpass and Juniper
This discussion seems to have a duplicate here. Let's continue there for follow-up.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 01, 2022 09:05 AM
From: Herman Robers
Subject: Colorless ports with Clearpass and Juniper
What are the attributes that ClearPass returns to the switch (Access Tracker, Output tab, expand the RADIUS Response)?
Do you see something in the switch logs?
What does the dot1x detail show on the interface (show dot1x interface ge-0/0/6 detail)?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Oct 31, 2022 02:04 PM
From: Unknown User
Subject: Colorless ports with Clearpass and Juniper
I've been using that configuration but its only been working with out the firewall portion. I've been trying to get the colorless port configuration working
https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce-209-configuring-colorless-ports-ex-aruba-clearpass-policy.html
The Clearpass approval/authentication is working but its not pushing back the vlan option. I'm only getting the voip vlan working or the switch will just default to vlan 1
Original Message:
Sent: Oct 31, 2022 09:55 AM
From: Herman Robers
Subject: Colorless ports with Clearpass and Juniper
What is the issue you have? I don't know EX switches, but the guide looks good to me. On the previous page, there is the EX switch config needed.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Oct 27, 2022 03:26 PM
From: Unknown User
Subject: Colorless ports with Clearpass and Juniper
Has anyone gotten the colorless port configuration between Juniper and Clearpass with Juniper's following guide? If you have could you share some tips or configuration sample with me?
Configuring Colorless Ports on EX Series Switches with Aruba ClearPass Policy Manager and Cisco ISE| Juniper | remove preview |
| | Configuring Colorless Ports on EX Series Switches with Aruba ClearPass Policy Manager and Cisco ISE | | Starting from Junos OS Release 20.4R1, EX switches support Colorless ports. Colorless ports are used in conjunction with device profiling with any standards-based radius server, and convert an access port to a trunk port and allow the necessary VLANs with necessary tagging. | | View this on Juniper > |
|
|