Cloud Managed Networks

 View Only
Back to discussions
Expand all | Collapse all

Central NAC - problem with wired authentication

This thread has been viewed 32 times

  • 1.  Central NAC - problem with wired authentication

    Posted 5 days ago

    I'm having problems with setting up wired authentication from a CX 6100 to Central NAC. I have configured all the policies and profiles, but I never see authentication attempts. 

    If I go to the switch and run "show radius-server detail" I see the following output:

    Server-Name                     : euw1.cloudguest.central.arubanetworks.com
    Auth-Port                       : 2083
    Accounting-Port                 : 2083
    VRF                             : default
    TLS Enabled                     : Yes
    TLS Connection Status           : tls_connection_failed
    Initial TLS Connection Timeout  : 30 seconds 
    Timeout                         : 20 seconds 
    Auth-Type                       : pap
    Resolved-Address                : 3.126.68.5
    Server-Group:Priority           : sys_central_nac:1
    Tracking                        : disabled
    Tracking-Mode                   : any
    Tracking-Method                 : access-request
    Reachability-Status             : unknown
    Tracking-Last-Attempted         : N/A
    Next-Tracking-Request           : N/A
    Port-Access Session             : keep-alive

    So it appears that the TLS connection for the RadSec between switch and Central is failing, but how could this be if this is supposedly done automatically and with the correct certificates?



    -------------------------------------------


  • 2.  RE: Central NAC - problem with wired authentication

    Posted 5 days ago

    Is TCP port 2083 allowed on the network to the Central NAC servers?

    Can you share the output of the command show events -r and show crypto pki certificate device-identity (maybe best in a DM)



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------



  • 3.  RE: Central NAC - problem with wired authentication

    Posted 4 days ago

    In show events -r I'm seeing a lot of entries like this one:

    2026-05-29T10:44:53.208866+02:00 6000 port-accessd[20937]: Event|7709|LOG_WARN|UMM|-|Certificate *.cloudguest.central.arubanetworks.com rejected due to verification failure (30)

    Is there a problem there?


    Original Message


  • 4.  RE: Central NAC - problem with wired authentication

    Posted 4 days ago

    I think so. Please share the output of the command show crypto pki certificate device-identity via a DM



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 5.  RE: Central NAC - problem with wired authentication

    Posted 4 days ago

    I just did.

    -------------------------------------------

    Original Message


  • 6.  RE: Central NAC - problem with wired authentication
    Best Answer

    Posted 4 days ago

    Looks all good. Please can you check if the TA profile is correctly pushed to the switch?

    Config line starts with:

    crypto pki ta-profile sys_central_nac



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 7.  RE: Central NAC - problem with wired authentication

    Posted 4 days ago

    No, I cannot find that line. What should I do in Central to push that?

    -------------------------------------------

    Original Message


  • 8.  RE: Central NAC - problem with wired authentication

    Posted 3 days ago

    the switch command to check the TA cert is installed.

    also checking the Radsec application identity.

    I am not sure when the cert gets pushed but I think it should be when you configure central NAC server group in switch system profile or AAA Authentication profile.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 9.  RE: Central NAC - problem with wired authentication

    Posted yesterday

    Yup, it was the TA profile that was not being pushed to the switch. The profiles were correctly configured but there was something that was not assigned to the "Global" scope, I think.

    -------------------------------------------

    Original Message


  • 10.  RE: Central NAC - problem with wired authentication

    Posted yesterday

    Yup, that was it. Thanks for the assistance - I guess it was the mess of scopes used in the lab environment ;) Likely in a real client it would all be assigned to "Global" anyway.

    -------------------------------------------

    Original Message


  • 11.  RE: Central NAC - problem with wired authentication

    Posted yesterday

    Thanks folks.

    Had a remote session with Willem last Friday and were able to set it up. Configuration was correct, but there was some mess with scopes that were preventing the TA profile being pushed to the switch.

    -------------------------------------------



Related Content