Hello
I am trying to do health check for wired users on a brocade ICX 6450 switch.
By default there's no COA profile for Brocade so I made one, according to Brocade the request needs to have NAS identifier and session.
Here's the profile I made
And I used it in an enforcement policy inside the web auth services that I use for health check with the presistant agent.
Here's the services I configured.
The plan is that, when a user with a non compliant health posture connects, he will be placed in vlan 20, then does the health check, get coa'd and then reconnects and gets vlan 10 which is the authentication vlan.
And for the mac authentication, it will be used for IP Phones..
I am facing two problems, the PCs are using their mac addresses as username sometimes although they are configured correctly for dot1x and the phones are doing the opposite, sometimes dot1x although they're mac authentication based
The second problem is that when I try to do COA, I get the following in the log.
| 2015-04-09 18:40:09,126 | [RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:Calling-Station-Id}, error=No values for param=Radius:IETF:Calling-Station-Id |
| 2015-04-09 18:40:09,127 | [RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] ERROR Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:Calling-Station-Id value = %{Radius:IETF:Calling-Station-Id}. Searching attributes from battery |
| 2015-04-09 18:40:09,127 | [RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:NAS-Identifier}, error=No values for param=Radius:IETF:NAS-Identifier |
| 2015-04-09 18:40:09,127 | [RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] ERROR Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:NAS-Identifier value = %{Radius:IETF:NAS-Identifier}. Searching attributes from battery |
| 2015-04-09 18:40:09,127 | [RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:NAS-IP-Address}, error=No values for param=Radius:IETF:NAS-IP-Address |
| 2015-04-09 18:40:09,127 | [RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] ERROR Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:NAS-IP-Address value = %{Radius:IETF:NAS-IP-Address}. Searching attributes from battery |
So this means COA is not correct, Maybe I understood wrong but I am using variables in the fields of the enforcement profile, if I'm supposed to use actual values, NAD identifier would be what? and calling station id would be mac address of the PC and nas ip address is the switch's ip address?
Also here's the switch's configuration
"
ver 08.0.20bT313
!
stack unit 1
module 1 icx6450-24p-poe-port-management-module
module 2 icx6450-sfp-plus-4port-40g-module
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 10 name allowed by port
untagged ethe 1/1/23 to 1/1/24
router-interface ve 10
!
vlan 20 name unallowed by port
untagged ethe 1/1/3
router-interface ve 20
!
vlan 30 name voice by port
untagged ethe 1/1/22
router-interface ve 30
!
vlan 99 name parking-vlan by port
untagged ethe 1/1/21
router-interface ve 99
!
!
!
!
authentication
auth-default-vlan 99
no filter-strict-security enable
re-authentication
dot1x enable
dot1x enable ethe 1/1/2
mac-authentication enable
mac-authentication enable ethe 1/1/2
!
aaa authentication dot1x default radius
aaa authorization commands 0 default radius
aaa authorization coa enable
aaa accounting dot1x default start-stop radius
boot sys fl sec
enable snmp config-radius
enable telnet password .....
enable super-user-password .....
hostname brocade
ip dhcp-server enable
!
ip dhcp-server pool allowed-pool
dhcp-default-router 10.0.0.1
dns-server 4.2.2.2
domain-name allowed.brocade.com
lease 1 0 0
network 10.0.0.0 255.255.255.0
deploy
!
!
ip dhcp-server pool unallowed-pool
dhcp-default-router 20.0.0.1
dns-server 4.2.2.2
domain-name unallowed.brocade.com
lease 1 0 0
network 20.0.0.0 255.255.255.0
deploy
!
!
ip dhcp-server pool voice-pool
dhcp-default-router 30.0.0.1
dns-server 4.2.2.2
domain-name voice.brocade.com
lease 1 0 0
network 30.0.0.0 255.255.255.0
deploy
!
!
ip dhcp-server pool parking-vlan
dhcp-default-router 99.99.99.1
dns-server 4.2.2.2
domain-name parking.brocade.com
lease 1 0 0
network 99.99.99.0 255.255.255.0
deploy
!
ip dns server-address 163.121.128.134
ip route 0.0.0.0/0 10.131.71.200
!
username salec password .....
radius-client coa host 10.131.71.200 key 2 $ZF5uIVVTIS0tWnw4
radius-server host 10.131.71.200 auth-port 1812 acct-port 1813 default key 2 $ZF5uIVVTIS0tWnw4
radius-server key 2 $ZF5uIVVTIS0tWnw4
snmp-server community ..... rw
snmp-server enable ethe 1/1/1
!
!
no port bootp
!
!
!
interface ethernet 1/1/1
ip address 10.131.71.179 255.255.255.0
no ip dhcp-client enable
!
interface ethernet 1/1/2
dot1x port-control auto
inline power power-limit 15000
!
interface ve 10
ip address 10.0.0.1 255.255.255.0
ip helper-address 1 10.131.71.200
!
interface ve 20
ip address 20.0.0.1 255.255.255.0
ip helper-address 1 10.131.71.200
!
interface ve 30
ip address 30.0.0.1 255.255.255.0
ip helper-address 1 10.131.71.200
!
!
!
!
!
!
!
ip ssh password-authentication no
ip ssh permit-empty-passwd yes
ip ssh interactive-authentication no
!
!
end
""
Thanks in advance and I apologise for lengthy post