Cloud Managed Networks

Not sure this is the right discussion but:

I have a client with Central, 6300 CX switches, two 7210 gateways and Clearpass. They want to use UBT but the network is live and it will be a gradual migration. I have enabled UBT on the switches, configured the Clearpass authentication and the correct roles on the gateways. If I configure a port to use MAC or 802.1x authentication, the client successfully authenticates, the role is pushed to the switch and the secondary role applied. I see the client on the gateway in the correct role with an IP address obtained via DHCP. However, the client cannot send or receive any other traffic. No traffic appears blocked in the datapath table though. All roles allow all traffic

Any ideas what I have wrong here? I do wonder if the issue is the same VLAN is configured locally on the switch but this is not stated as an issue in the documentation unless using ubt vlan-extend which I am not.

The same issue happens for all ubt clients in any VLAN whether mac auth or 802.1x

Thanks

Stewart

your ubt client VLAN ID should be unique and also be created on your gateway but not applied to any interferes

what is your ubt zone configuration?

Is the UBT  user-role on the gateway blocking anything?

Not sure this is the right discussion but:

I have a client with Central, 6300 CX switches, two 7210 gateways and Clearpass. They want to use UBT but the network is live and it will be a gradual migration. I have enabled UBT on the switches, configured the Clearpass authentication and the correct roles on the gateways. If I configure a port to use MAC or 802.1x authentication, the client successfully authenticates, the role is pushed to the switch and the secondary role applied. I see the client on the gateway in the correct role with an IP address obtained via DHCP. However, the client cannot send or receive any other traffic. No traffic appears blocked in the datapath table though. All roles allow all traffic

Any ideas what I have wrong here? I do wonder if the issue is the same VLAN is configured locally on the switch but this is not stated as an issue in the documentation unless using ubt vlan-extend which I am not.

The same issue happens for all ubt clients in any VLAN whether mac auth or 802.1x

Thanks

Stewart

The UBT client VLAN is created on the gateway but was also on the switch. I removed the VLAN from the switch but then the client no longer appeared in the user table on the gateway. I know the VLAN does not need to be on the switch though. 

The user role on the gateway allows any traffic. 

I have logged with TAC now so hopefully they will find the issue

your ubt client VLAN ID should be unique and also be created on your gateway but not applied to any interferes

what is your ubt zone configuration?

Is the UBT  user-role on the gateway blocking anything?

Not sure this is the right discussion but:

I have a client with Central, 6300 CX switches, two 7210 gateways and Clearpass. They want to use UBT but the network is live and it will be a gradual migration. I have enabled UBT on the switches, configured the Clearpass authentication and the correct roles on the gateways. If I configure a port to use MAC or 802.1x authentication, the client successfully authenticates, the role is pushed to the switch and the secondary role applied. I see the client on the gateway in the correct role with an IP address obtained via DHCP. However, the client cannot send or receive any other traffic. No traffic appears blocked in the datapath table though. All roles allow all traffic

Any ideas what I have wrong here? I do wonder if the issue is the same VLAN is configured locally on the switch but this is not stated as an issue in the documentation unless using ubt vlan-extend which I am not.

The same issue happens for all ubt clients in any VLAN whether mac auth or 802.1x

Thanks

Stewart

UBT Client VLAN is somewhat ambiguous; check this video for the difference between local VLAN and VLAN Extend mode. Local VLAN (and use of the ubt-client-vlan command on the switch) is probably what you want.

The UBT client VLAN is created on the gateway but was also on the switch. I removed the VLAN from the switch but then the client no longer appeared in the user table on the gateway. I know the VLAN does not need to be on the switch though. 

The user role on the gateway allows any traffic. 

I have logged with TAC now so hopefully they will find the issue

your ubt client VLAN ID should be unique and also be created on your gateway but not applied to any interferes

what is your ubt zone configuration?

Is the UBT  user-role on the gateway blocking anything?

Not sure this is the right discussion but:

I have a client with Central, 6300 CX switches, two 7210 gateways and Clearpass. They want to use UBT but the network is live and it will be a gradual migration. I have enabled UBT on the switches, configured the Clearpass authentication and the correct roles on the gateways. If I configure a port to use MAC or 802.1x authentication, the client successfully authenticates, the role is pushed to the switch and the secondary role applied. I see the client on the gateway in the correct role with an IP address obtained via DHCP. However, the client cannot send or receive any other traffic. No traffic appears blocked in the datapath table though. All roles allow all traffic

Any ideas what I have wrong here? I do wonder if the issue is the same VLAN is configured locally on the switch but this is not stated as an issue in the documentation unless using ubt vlan-extend which I am not.

The same issue happens for all ubt clients in any VLAN whether mac auth or 802.1x

Thanks

Stewart

Yes I want the clients to be placed in a role on the gateway. They just need to be placed into the VLAN on the controller and the traffic tunnelled between switch and gateway. I don't think I have any need for tagged traffic so don't need vlan extend. the UBT config on the switch I have is:

vlan 4091

ubt-client-vlan 4091
ubt zone default vrf default
    primary-controller ip 10.x.2.40
    backup-controller ip 10.x.2.48
    enable

ip source-interface ubt interface vlan200

ubt state shows both gateways connected

UBT Client VLAN is somewhat ambiguous; check this video for the difference between local VLAN and VLAN Extend mode. Local VLAN (and use of the ubt-client-vlan command on the switch) is probably what you want.

The UBT client VLAN is created on the gateway but was also on the switch. I removed the VLAN from the switch but then the client no longer appeared in the user table on the gateway. I know the VLAN does not need to be on the switch though. 

The user role on the gateway allows any traffic. 

I have logged with TAC now so hopefully they will find the issue

your ubt client VLAN ID should be unique and also be created on your gateway but not applied to any interferes

what is your ubt zone configuration?

Is the UBT  user-role on the gateway blocking anything?

Not sure this is the right discussion but:

I have a client with Central, 6300 CX switches, two 7210 gateways and Clearpass. They want to use UBT but the network is live and it will be a gradual migration. I have enabled UBT on the switches, configured the Clearpass authentication and the correct roles on the gateways. If I configure a port to use MAC or 802.1x authentication, the client successfully authenticates, the role is pushed to the switch and the secondary role applied. I see the client on the gateway in the correct role with an IP address obtained via DHCP. However, the client cannot send or receive any other traffic. No traffic appears blocked in the datapath table though. All roles allow all traffic

Any ideas what I have wrong here? I do wonder if the issue is the same VLAN is configured locally on the switch but this is not stated as an issue in the documentation unless using ubt vlan-extend which I am not.

The same issue happens for all ubt clients in any VLAN whether mac auth or 802.1x

Thanks

Stewart