Wired Intelligent Edge

Hi,

Most of my auth / DUR stuff has been on. ArubaOS-S/ Mobiltiy Controllers ... now dipping toe in for CX, so ... running. 10.13.x code ( whatever the latest is) ,have configured  DUR usage and.  am using RADIUS accounting to upload fingerprint data to cppm ...so got a few questions

1). sh port-access shows that i have an authentication. with a DUR applied

2). cppm shows both. dot1x and mac auth ( yes the switch is configured to do both to speed things up)

The DUR says 

• Apply an allow all ACL
• Reauthenticate every hour
• switch port into client-mode
• Do not define any tagged/iuntagged vlans use the statically assigned one

For the client

The reauth isnt 1 hour but a few mins

The client isnt  obtaining an IP address from the dhcp server even though its on the correct vlan

Whats the CX equivalent. of sh user-role download detail ?

How can i tell that the client fingerprint data has been uploaded via RADIJUS accounting?

Rgds

Alex

ok so  sh port-access client detail

Tells me that its failed to download the  DUR with an error of server certificate invalid

but if i do a sh crypto pki ta-profile clearpass I get the  enterprise local  root CA cert.

Should I also include the intermediate CA ?

A

Hi,

Most of my auth / DUR stuff has been on. ArubaOS-S/ Mobiltiy Controllers ... now dipping toe in for CX, so ... running. 10.13.x code ( whatever the latest is) ,have configured  DUR usage and.  am using RADIUS accounting to upload fingerprint data to cppm ...so got a few questions

1). sh port-access shows that i have an authentication. with a DUR applied

2). cppm shows both. dot1x and mac auth ( yes the switch is configured to do both to speed things up)

The DUR says 

• Apply an allow all ACL
• Reauthenticate every hour
• switch port into client-mode
• Do not define any tagged/iuntagged vlans use the statically assigned one

For the client

The reauth isnt 1 hour but a few mins

The client isnt  obtaining an IP address from the dhcp server even though its on the correct vlan

Whats the CX equivalent. of sh user-role download detail ?

How can i tell that the client fingerprint data has been uploaded via RADIJUS accounting?

Rgds

Alex

nope guess not,  the root CA is the same one I install on ArubaOS-S switches and thats the only one there ... and both arubaos-s and arubaos-cx are both talking to the same cppm server

switch time is correct as well

A

ok so  sh port-access client detail

Tells me that its failed to download the  DUR with an error of server certificate invalid

but if i do a sh crypto pki ta-profile clearpass I get the  enterprise local  root CA cert.

Should I also include the intermediate CA ?

A

Hi,

Most of my auth / DUR stuff has been on. ArubaOS-S/ Mobiltiy Controllers ... now dipping toe in for CX, so ... running. 10.13.x code ( whatever the latest is) ,have configured  DUR usage and.  am using RADIUS accounting to upload fingerprint data to cppm ...so got a few questions

1). sh port-access shows that i have an authentication. with a DUR applied

2). cppm shows both. dot1x and mac auth ( yes the switch is configured to do both to speed things up)

The DUR says 

• Apply an allow all ACL
• Reauthenticate every hour
• switch port into client-mode
• Do not define any tagged/iuntagged vlans use the statically assigned one

For the client

The reauth isnt 1 hour but a few mins

The client isnt  obtaining an IP address from the dhcp server even though its on the correct vlan

Whats the CX equivalent. of sh user-role download detail ?

How can i tell that the client fingerprint data has been uploaded via RADIJUS accounting?

Rgds

Alex

firmewware is 10.13.1010

nope guess not,  the root CA is the same one I install on ArubaOS-S switches and thats the only one there ... and both arubaos-s and arubaos-cx are both talking to the same cppm server

switch time is correct as well

A

ok so  sh port-access client detail

Tells me that its failed to download the  DUR with an error of server certificate invalid

but if i do a sh crypto pki ta-profile clearpass I get the  enterprise local  root CA cert.

Should I also include the intermediate CA ?

A

Hi,

Most of my auth / DUR stuff has been on. ArubaOS-S/ Mobiltiy Controllers ... now dipping toe in for CX, so ... running. 10.13.x code ( whatever the latest is) ,have configured  DUR usage and.  am using RADIUS accounting to upload fingerprint data to cppm ...so got a few questions

1). sh port-access shows that i have an authentication. with a DUR applied

2). cppm shows both. dot1x and mac auth ( yes the switch is configured to do both to speed things up)

The DUR says 

• Apply an allow all ACL
• Reauthenticate every hour
• switch port into client-mode
• Do not define any tagged/iuntagged vlans use the statically assigned one

For the client

The reauth isnt 1 hour but a few mins

The client isnt  obtaining an IP address from the dhcp server even though its on the correct vlan

Whats the CX equivalent. of sh user-role download detail ?

How can i tell that the client fingerprint data has been uploaded via RADIJUS accounting?

Rgds

Alex

you can refer to this 6x parts series on Aruba ClearPass Wired Enforcement for CX switches Part1 which covers LUR, DUR and more.

firmewware is 10.13.1010

nope guess not,  the root CA is the same one I install on ArubaOS-S switches and thats the only one there ... and both arubaos-s and arubaos-cx are both talking to the same cppm server

switch time is correct as well

A

ok so  sh port-access client detail

Tells me that its failed to download the  DUR with an error of server certificate invalid

but if i do a sh crypto pki ta-profile clearpass I get the  enterprise local  root CA cert.

Should I also include the intermediate CA ?

A

Hi,

Most of my auth / DUR stuff has been on. ArubaOS-S/ Mobiltiy Controllers ... now dipping toe in for CX, so ... running. 10.13.x code ( whatever the latest is) ,have configured  DUR usage and.  am using RADIUS accounting to upload fingerprint data to cppm ...so got a few questions

1). sh port-access shows that i have an authentication. with a DUR applied

2). cppm shows both. dot1x and mac auth ( yes the switch is configured to do both to speed things up)

The DUR says 

• Apply an allow all ACL
• Reauthenticate every hour
• switch port into client-mode
• Do not define any tagged/iuntagged vlans use the statically assigned one

For the client

The reauth isnt 1 hour but a few mins

The client isnt  obtaining an IP address from the dhcp server even though its on the correct vlan

Whats the CX equivalent. of sh user-role download detail ?

How can i tell that the client fingerprint data has been uploaded via RADIJUS accounting?

Rgds

Alex

Many thanks for that, most informative. I notice you use an FQDN when specifying a radius server . On our 2930 estate we dont and just point  the switch at.  the cppm VIPs  The cppm certs dont have an  IP: SaN nor an FQDN associated with the cppm VIPS. Can tweak the config to test things out to see if its that I guess

A

you can refer to this 6x parts series on Aruba ClearPass Wired Enforcement for CX switches Part1 which covers LUR, DUR and more.

firmewware is 10.13.1010

nope guess not,  the root CA is the same one I install on ArubaOS-S switches and thats the only one there ... and both arubaos-s and arubaos-cx are both talking to the same cppm server

switch time is correct as well

A

ok so  sh port-access client detail

Tells me that its failed to download the  DUR with an error of server certificate invalid

but if i do a sh crypto pki ta-profile clearpass I get the  enterprise local  root CA cert.

Should I also include the intermediate CA ?

A

Hi,

Most of my auth / DUR stuff has been on. ArubaOS-S/ Mobiltiy Controllers ... now dipping toe in for CX, so ... running. 10.13.x code ( whatever the latest is) ,have configured  DUR usage and.  am using RADIUS accounting to upload fingerprint data to cppm ...so got a few questions

1). sh port-access shows that i have an authentication. with a DUR applied

2). cppm shows both. dot1x and mac auth ( yes the switch is configured to do both to speed things up)

The DUR says 

• Apply an allow all ACL
• Reauthenticate every hour
• switch port into client-mode
• Do not define any tagged/iuntagged vlans use the statically assigned one

For the client

The reauth isnt 1 hour but a few mins

The client isnt  obtaining an IP address from the dhcp server even though its on the correct vlan

Whats the CX equivalent. of sh user-role download detail ?

How can i tell that the client fingerprint data has been uploaded via RADIJUS accounting?

Rgds

Alex