Security

Hi all,

I've been troubleshooting for a couple of days but I can't find what's going wrong in our situation. Hopefully someone can guide me in the right direction.

Our setup on this location:

Cisco 9200L

Aruba AP-505

Clearpass Policy Manager 6.12.2

We are trying to create a secure port with 802.1x for our Access points. Cisco switch port configuration:

switchport trunk native vlan 2020
 switchport trunk allowed vlan 2001,2020,2160,2165
 switchport mode trunk
 ip arp inspection limit rate 500
 no logging event link-status
 authentication control-direction in
 authentication event fail retry 3 action next-method
 authentication event server dead action authorize vlan 2010
 authentication event no-response action authorize vlan 2010
 authentication event server alive action reinitialize
 authentication host-mode multi-host
 authentication order dot1x
 authentication priority dot1x
 authentication port-control auto
 authentication timer inactivity 120
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 3
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 3
 dot1x max-reauth-req 3
 dot1x timeout auth-period 3
 storm-control broadcast level 10.00 5.00
 storm-control action trap
 service-policy output AutoQos-4.0-Output-Policy

Device gets succesfully accepted by Clearpass and put into the right VLAN. 

In the Aruba portal AP status is online but the uplink of the AP stays down and both radios are down as well. (device is pingable and accessibel via putty)

AP status via console

If we use a switch configuration without port security everything works as it should. 

switchport trunk native vlan 2020
 switchport trunk allowed vlan 2001,2020,2160,2165
 switchport mode trunk
 no logging event link-status

Any ideas on what to throubleshoot to get it working over a secure port?

Hi, have you configured the Aruba AP in Central to be 802.1X supplicants? The AP would need access first to Central to download the config of course and after that undergo 802.1X authentication. There is a video on Airheads how to setup the 802.1X service for Aruba APs.
I don´t know what attributes ClearPass should return for a Cisco switch to get an untagged mgmt VLAN and several tagged VLANs. I don´t know if Cisco switches support egress VLANs ID attributes. I usually have a dummy access VLAN configured on the switch port for colorless ports and I let ClearPass assign the VLAN/VLANs so the config is exactly the same on each port.

https://www.youtube.com/watch?v=5QjUix9yL1U&t=264s

Hi all,

I've been troubleshooting for a couple of days but I can't find what's going wrong in our situation. Hopefully someone can guide me in the right direction.

Our setup on this location:

Cisco 9200L

Aruba AP-505

Clearpass Policy Manager 6.12.2

We are trying to create a secure port with 802.1x for our Access points. Cisco switch port configuration:

switchport trunk native vlan 2020
 switchport trunk allowed vlan 2001,2020,2160,2165
 switchport mode trunk
 ip arp inspection limit rate 500
 no logging event link-status
 authentication control-direction in
 authentication event fail retry 3 action next-method
 authentication event server dead action authorize vlan 2010
 authentication event no-response action authorize vlan 2010
 authentication event server alive action reinitialize
 authentication host-mode multi-host
 authentication order dot1x
 authentication priority dot1x
 authentication port-control auto
 authentication timer inactivity 120
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 3
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 3
 dot1x max-reauth-req 3
 dot1x timeout auth-period 3
 storm-control broadcast level 10.00 5.00
 storm-control action trap
 service-policy output AutoQos-4.0-Output-Policy

Device gets succesfully accepted by Clearpass and put into the right VLAN. 

In the Aruba portal AP status is online but the uplink of the AP stays down and both radios are down as well. (device is pingable and accessibel via putty)

AP status via console

If we use a switch configuration without port security everything works as it should. 

switchport trunk native vlan 2020
 switchport trunk allowed vlan 2001,2020,2160,2165
 switchport mode trunk
 no logging event link-status

Any ideas on what to throubleshoot to get it working over a secure port?

Hi all,

I've been troubleshooting for a couple of days but I can't find what's going wrong in our situation. Hopefully someone can guide me in the right direction.

Our setup on this location:

Cisco 9200L

Aruba AP-505

Clearpass Policy Manager 6.12.2

We are trying to create a secure port with 802.1x for our Access points. Cisco switch port configuration:

switchport trunk native vlan 2020
 switchport trunk allowed vlan 2001,2020,2160,2165
 switchport mode trunk
 ip arp inspection limit rate 500
 no logging event link-status
 authentication control-direction in
 authentication event fail retry 3 action next-method
 authentication event server dead action authorize vlan 2010
 authentication event no-response action authorize vlan 2010
 authentication event server alive action reinitialize
 authentication host-mode multi-host
 authentication order dot1x
 authentication priority dot1x
 authentication port-control auto
 authentication timer inactivity 120
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 3
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 3
 dot1x max-reauth-req 3
 dot1x timeout auth-period 3
 storm-control broadcast level 10.00 5.00
 storm-control action trap
 service-policy output AutoQos-4.0-Output-Policy

Device gets succesfully accepted by Clearpass and put into the right VLAN. 

In the Aruba portal AP status is online but the uplink of the AP stays down and both radios are down as well. (device is pingable and accessibel via putty)

AP status via console

If we use a switch configuration without port security everything works as it should. 

switchport trunk native vlan 2020
 switchport trunk allowed vlan 2001,2020,2160,2165
 switchport mode trunk
 no logging event link-status

Any ideas on what to throubleshoot to get it working over a secure port?

What version of AOS is the AP running?

Hi all,

I've been troubleshooting for a couple of days but I can't find what's going wrong in our situation. Hopefully someone can guide me in the right direction.

Our setup on this location:

Cisco 9200L

Aruba AP-505

Clearpass Policy Manager 6.12.2

We are trying to create a secure port with 802.1x for our Access points. Cisco switch port configuration:

switchport trunk native vlan 2020
 switchport trunk allowed vlan 2001,2020,2160,2165
 switchport mode trunk
 ip arp inspection limit rate 500
 no logging event link-status
 authentication control-direction in
 authentication event fail retry 3 action next-method
 authentication event server dead action authorize vlan 2010
 authentication event no-response action authorize vlan 2010
 authentication event server alive action reinitialize
 authentication host-mode multi-host
 authentication order dot1x
 authentication priority dot1x
 authentication port-control auto
 authentication timer inactivity 120
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 3
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 3
 dot1x max-reauth-req 3
 dot1x timeout auth-period 3
 storm-control broadcast level 10.00 5.00
 storm-control action trap
 service-policy output AutoQos-4.0-Output-Policy

Device gets succesfully accepted by Clearpass and put into the right VLAN. 

In the Aruba portal AP status is online but the uplink of the AP stays down and both radios are down as well. (device is pingable and accessibel via putty)

AP status via console

If we use a switch configuration without port security everything works as it should. 

switchport trunk native vlan 2020
 switchport trunk allowed vlan 2001,2020,2160,2165
 switchport mode trunk
 no logging event link-status

Any ideas on what to throubleshoot to get it working over a secure port?

Firmware Version

What version of AOS is the AP running?

Hi all,

I've been troubleshooting for a couple of days but I can't find what's going wrong in our situation. Hopefully someone can guide me in the right direction.

Our setup on this location:

Cisco 9200L

Aruba AP-505

Clearpass Policy Manager 6.12.2

We are trying to create a secure port with 802.1x for our Access points. Cisco switch port configuration:

switchport trunk native vlan 2020
 switchport trunk allowed vlan 2001,2020,2160,2165
 switchport mode trunk
 ip arp inspection limit rate 500
 no logging event link-status
 authentication control-direction in
 authentication event fail retry 3 action next-method
 authentication event server dead action authorize vlan 2010
 authentication event no-response action authorize vlan 2010
 authentication event server alive action reinitialize
 authentication host-mode multi-host
 authentication order dot1x
 authentication priority dot1x
 authentication port-control auto
 authentication timer inactivity 120
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 3
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 3
 dot1x max-reauth-req 3
 dot1x timeout auth-period 3
 storm-control broadcast level 10.00 5.00
 storm-control action trap
 service-policy output AutoQos-4.0-Output-Policy

Device gets succesfully accepted by Clearpass and put into the right VLAN. 

In the Aruba portal AP status is online but the uplink of the AP stays down and both radios are down as well. (device is pingable and accessibel via putty)

AP status via console

If we use a switch configuration without port security everything works as it should. 

switchport trunk native vlan 2020
 switchport trunk allowed vlan 2001,2020,2160,2165
 switchport mode trunk
 no logging event link-status

Any ideas on what to throubleshoot to get it working over a secure port?