Security

 View Only

  • 1.  Clearpass CLI Enforcement

    Posted Jun 20, 2023 02:42 PM

    Hi,

    I'm been struggling the CLI enforcement command syntax for Aruba 2930 series switch and wonder if any one has managed to get this working?

    I have created the CLI profile to change a dynamic vlan into a static-vlan when a MAC Auth request is seen by clearpass for a groups of hosts. Also I have configured the CLI Settings on the clearpass device to allow the Policy manager to make changes via SSH.

    Problem i'm having is I can see the user account (the Policy Manager) logon to the switch, however it doesn't seem to be deploying the commands stated in the CLI profile. Everything looks fine in access tracker. So I thinking its either the command syntax is wrong or the switch "Vendor Name" is incorrect. However I have tried Aruba, HPE and HC3 and its the same result Policy Manager logs into the switch and doesn't seem to deploy any config and then logs out.

    Command:

    configure

    static-vlan 240

    Any help or pointers (resources) would be gratefully appreciated.



  • 2.  RE: Clearpass CLI Enforcement

    Posted Jun 21, 2023 04:46 AM

    A bit of trial and error I managed to figure out the syntax for the Aruba 2930 switches; example. So looks like the configuration being deployed requires to be bookended with double quote marks.

      Attribute Name Attribute Value
    1. Target Device = %{Connection:NAD-IP-Address}
    2. Command = "configure
    static-vlan 240
    exit"

    Original Message


  • 3.  RE: Clearpass CLI Enforcement

    Posted Jun 26, 2023 09:22 AM

    Great that you made it working. Note that CLI Enforcement has been added in the past only for a specific use-case, think it was Meru controllers or so, and should be avoided whenever you have the possibility to use RADIUS which works much faster and more reliable. I don't know customers that are using CLI enforcement.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content