Aruba ClearPass and User-ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Aruba ClearPass and User-ID

L4 Transporter

We use 802.1X on our network for user authentication and assigning VLANs dynamically. Our edge switches (Brocade) and Aruba Controller are configured to use Aruba ClearPass to authenticate each user. ClearPass uses LDAP (freeIPA) to look up users. ClearPass is currently configured to pass user to IP mappings to the PA via the API. My problem is that I can't see all the users on the PA who authenticate successfully with ClearPass. I can see users authenticating in the ClearPass logs but when I check the firewall, I don't see that user's userid on the PA logs. It appears as if ClearPass is not updating the PA completely or the PA is not receiving/accepting all of the data. I am not sure if the problem is the ClearPass side or the PA side. Any ideas?

4 REPLIES 4

L7 Applicator

You can check your configuration and test the syslog receiver with the instructions here.

How to Configure a Custom Syslog Sender and Test User Mappings

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Steven, thanks for that information. I followed the documentation but I am not having luck getting the new server monitor to connect. It just shows "not connected". I've tried creating a new ClearPass configuration to output syslogs to the PAs management interface and several other things, but without success.

Also, it seems this would be alternative for ip to userid mappings than the approach I was taking with having ClearPass output everything it has to the PAs API. Is that correct?

Yes, this is a way to get user ip mappings via syslog directly.

Since this is not connected there is either a configuration issue on one side, or the traffic is not reaching the PA.

Do you have a way to run a span port on the PA side to confirm the syslog data is arriving?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks for the help Steven. We are currently analyzing traffic to see if can gather more information. I'll post again when I have more details.

  • 8616 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!