Security

When i wssn upgrading cppm to one of mthe 6.11 releases ( cant remember which) , the changes window said that this version of cppm supported device fingerpint upload from CX 10.13.x via radius accounting packets. I've now got 2 CX6300 switches running 10.13.1000 and want to try this out.

Been looking through the CX 10.13 security  doc .. can find bits about device fingerprinting but nothing on what to do to upload via radius accounting ....  release notes for 10.13.1000 dont show anything either

is it in a section of the security guide that I've missed ?

A

never mind, found it. Page 701 in  10.13 security guide

vsa vendor

vsa vendor aruba type avpair group dfp-client-info {no} vsa vendor aruba type avpair group dfp-client-info

Description

This command enables AOS-CX integration with Aruba Clearpass by allowing the switch to send VendorSpecific Attributes (VSAs) for the Aruba vendor in RADIUS interim packets (such as accounting packets). Device fingerprints are sent to a ClearPass RADIUs server through accounting updates using ArubaAVPair(67) VSAs. When configured, device fingerprint information for an authenticated port-access client is obtained from protocols such as LLDP, DHCP, CDP, and HTTP and sent to RADIUS accounting interim packets.

Examples

The following command configures Clearpass integration using device fingerprinting information sent through RADIUS accounting updates.

switch(config)# aaa radius-attribute group radius switch(config-radius-attr)#vsa vendor aruba type avpair group dfp-client-info

When i wssn upgrading cppm to one of mthe 6.11 releases ( cant remember which) , the changes window said that this version of cppm supported device fingerpint upload from CX 10.13.x via radius accounting packets. I've now got 2 CX6300 switches running 10.13.1000 and want to try this out.

Been looking through the CX 10.13 security  doc .. can find bits about device fingerprinting but nothing on what to do to upload via radius accounting ....  release notes for 10.13.1000 dont show anything either

is it in a section of the security guide that I've missed ?

A

Next question

on our 2930 estate the firmware has a  nifty command to store the clearpass root CA locally. With CX 10.13.1000 i downloaded and installed the root cert manually ( this is what we originally had to do on the aruba-os-s estate but then the helpful command apeared)

Luckily we dont have many  Client facing CX switches, so manual upload not an issue ... but further down the line it would be.

Again have I missed a command  or do i currently have to cerate a ta-profile and then upload the cert ?

A

never mind, found it. Page 701 in  10.13 security guide

vsa vendor

vsa vendor aruba type avpair group dfp-client-info {no} vsa vendor aruba type avpair group dfp-client-info

Description

This command enables AOS-CX integration with Aruba Clearpass by allowing the switch to send VendorSpecific Attributes (VSAs) for the Aruba vendor in RADIUS interim packets (such as accounting packets). Device fingerprints are sent to a ClearPass RADIUs server through accounting updates using ArubaAVPair(67) VSAs. When configured, device fingerprint information for an authenticated port-access client is obtained from protocols such as LLDP, DHCP, CDP, and HTTP and sent to RADIUS accounting interim packets.

Examples

The following command configures Clearpass integration using device fingerprinting information sent through RADIUS accounting updates.

switch(config)# aaa radius-attribute group radius switch(config-radius-attr)#vsa vendor aruba type avpair group dfp-client-info

When i wssn upgrading cppm to one of mthe 6.11 releases ( cant remember which) , the changes window said that this version of cppm supported device fingerpint upload from CX 10.13.x via radius accounting packets. I've now got 2 CX6300 switches running 10.13.1000 and want to try this out.

Been looking through the CX 10.13 security  doc .. can find bits about device fingerprinting but nothing on what to do to upload via radius accounting ....  release notes for 10.13.1000 dont show anything either

is it in a section of the security guide that I've missed ?

A

When configuring a CX switch with CLI you have to do the TA profile manually as far as I know.

My guess is that Aruba think you should do the config from Central and push the certificate this way. But I have actually not tested this.

Next question

on our 2930 estate the firmware has a  nifty command to store the clearpass root CA locally. With CX 10.13.1000 i downloaded and installed the root cert manually ( this is what we originally had to do on the aruba-os-s estate but then the helpful command apeared)

Luckily we dont have many  Client facing CX switches, so manual upload not an issue ... but further down the line it would be.

Again have I missed a command  or do i currently have to cerate a ta-profile and then upload the cert ?

A

never mind, found it. Page 701 in  10.13 security guide

vsa vendor

vsa vendor aruba type avpair group dfp-client-info {no} vsa vendor aruba type avpair group dfp-client-info

Description

This command enables AOS-CX integration with Aruba Clearpass by allowing the switch to send VendorSpecific Attributes (VSAs) for the Aruba vendor in RADIUS interim packets (such as accounting packets). Device fingerprints are sent to a ClearPass RADIUs server through accounting updates using ArubaAVPair(67) VSAs. When configured, device fingerprint information for an authenticated port-access client is obtained from protocols such as LLDP, DHCP, CDP, and HTTP and sent to RADIUS accounting interim packets.

Examples

The following command configures Clearpass integration using device fingerprinting information sent through RADIUS accounting updates.

switch(config)# aaa radius-attribute group radius switch(config-radius-attr)#vsa vendor aruba type avpair group dfp-client-info

When i wssn upgrading cppm to one of mthe 6.11 releases ( cant remember which) , the changes window said that this version of cppm supported device fingerpint upload from CX 10.13.x via radius accounting packets. I've now got 2 CX6300 switches running 10.13.1000 and want to try this out.

Been looking through the CX 10.13 security  doc .. can find bits about device fingerprinting but nothing on what to do to upload via radius accounting ....  release notes for 10.13.1000 dont show anything either

is it in a section of the security guide that I've missed ?

A

When configuring a CX switch with CLI you have to do the TA profile manually as far as I know.

My guess is that Aruba think you should do the config from Central and push the certificate this way. But I have actually not tested this.

Next question

on our 2930 estate the firmware has a  nifty command to store the clearpass root CA locally. With CX 10.13.1000 i downloaded and installed the root cert manually ( this is what we originally had to do on the aruba-os-s estate but then the helpful command apeared)

Luckily we dont have many  Client facing CX switches, so manual upload not an issue ... but further down the line it would be.

Again have I missed a command  or do i currently have to cerate a ta-profile and then upload the cert ?

A

never mind, found it. Page 701 in  10.13 security guide

vsa vendor

vsa vendor aruba type avpair group dfp-client-info {no} vsa vendor aruba type avpair group dfp-client-info

Description

This command enables AOS-CX integration with Aruba Clearpass by allowing the switch to send VendorSpecific Attributes (VSAs) for the Aruba vendor in RADIUS interim packets (such as accounting packets). Device fingerprints are sent to a ClearPass RADIUs server through accounting updates using ArubaAVPair(67) VSAs. When configured, device fingerprint information for an authenticated port-access client is obtained from protocols such as LLDP, DHCP, CDP, and HTTP and sent to RADIUS accounting interim packets.

Examples

The following command configures Clearpass integration using device fingerprinting information sent through RADIUS accounting updates.

switch(config)# aaa radius-attribute group radius switch(config-radius-attr)#vsa vendor aruba type avpair group dfp-client-info

When i wssn upgrading cppm to one of mthe 6.11 releases ( cant remember which) , the changes window said that this version of cppm supported device fingerpint upload from CX 10.13.x via radius accounting packets. I've now got 2 CX6300 switches running 10.13.1000 and want to try this out.

Been looking through the CX 10.13 security  doc .. can find bits about device fingerprinting but nothing on what to do to upload via radius accounting ....  release notes for 10.13.1000 dont show anything either

is it in a section of the security guide that I've missed ?

A