Security

Reply
Occasional Contributor II

Brocade COA Problem

Hello

I am trying to do health check for wired users on a brocade ICX 6450 switch.

By default there's no COA profile for Brocade so I made one, according to Brocade the request needs to have NAS identifier and session.

Here's the profile I made

coa-brocade.JPG

And I used it in an enforcement policy inside the web auth services that I use for health check with the presistant agent.

 

Here's the services I configured.

all-services.JPGweb auth services.JPG

The plan is that, when a user with a non compliant health posture connects, he will be placed in vlan 20, then does the health check, get coa'd and then reconnects and gets vlan 10 which is the authentication vlan.

And for the mac authentication, it will be used for IP Phones..

I am facing two problems, the PCs are using their mac addresses as username sometimes although they are configured correctly for dot1x and the phones are doing the opposite, sometimes dot1x although they're mac authentication based

 

The second problem is that when I try to do COA, I get the following in the log.

2015-04-09 18:40:09,126[RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:Calling-Station-Id}, error=No values for param=Radius:IETF:Calling-Station-Id
2015-04-09 18:40:09,127[RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] ERROR Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:Calling-Station-Id value = %{Radius:IETF:Calling-Station-Id}. Searching attributes from battery
2015-04-09 18:40:09,127[RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:NAS-Identifier}, error=No values for param=Radius:IETF:NAS-Identifier
2015-04-09 18:40:09,127[RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] ERROR Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:NAS-Identifier value = %{Radius:IETF:NAS-Identifier}. Searching attributes from battery
2015-04-09 18:40:09,127[RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:NAS-IP-Address}, error=No values for param=Radius:IETF:NAS-IP-Address
2015-04-09 18:40:09,127[RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] ERROR Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:NAS-IP-Address value = %{Radius:IETF:NAS-IP-Address}. Searching attributes from battery

 

 

So this means COA is not correct, Maybe I understood wrong but I am using variables in the fields of the enforcement profile, if I'm supposed to use actual values, NAD identifier would be what? and calling station id would be mac address of the PC and nas ip address is the switch's ip address?

 

Also here's the switch's configuration

"

ver 08.0.20bT313
!
stack unit 1
module 1 icx6450-24p-poe-port-management-module
module 2 icx6450-sfp-plus-4port-40g-module
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 10 name allowed by port
untagged ethe 1/1/23 to 1/1/24
router-interface ve 10
!
vlan 20 name unallowed by port
untagged ethe 1/1/3
router-interface ve 20
!
vlan 30 name voice by port
untagged ethe 1/1/22
router-interface ve 30
!
vlan 99 name parking-vlan by port
untagged ethe 1/1/21
router-interface ve 99
!
!
!
!
authentication
auth-default-vlan 99
no filter-strict-security enable
re-authentication
dot1x enable
dot1x enable ethe 1/1/2
mac-authentication enable
mac-authentication enable ethe 1/1/2
!
aaa authentication dot1x default radius
aaa authorization commands 0 default radius
aaa authorization coa enable
aaa accounting dot1x default start-stop radius
boot sys fl sec
enable snmp config-radius
enable telnet password .....
enable super-user-password .....
hostname brocade
ip dhcp-server enable
!
ip dhcp-server pool allowed-pool
dhcp-default-router 10.0.0.1
dns-server 4.2.2.2
domain-name allowed.brocade.com
lease 1 0 0
network 10.0.0.0 255.255.255.0
deploy
!
!
ip dhcp-server pool unallowed-pool
dhcp-default-router 20.0.0.1
dns-server 4.2.2.2
domain-name unallowed.brocade.com
lease 1 0 0
network 20.0.0.0 255.255.255.0
deploy
!
!
ip dhcp-server pool voice-pool
dhcp-default-router 30.0.0.1
dns-server 4.2.2.2
domain-name voice.brocade.com
lease 1 0 0
network 30.0.0.0 255.255.255.0
deploy
!
!
ip dhcp-server pool parking-vlan
dhcp-default-router 99.99.99.1
dns-server 4.2.2.2
domain-name parking.brocade.com
lease 1 0 0
network 99.99.99.0 255.255.255.0
deploy
!
ip dns server-address 163.121.128.134
ip route 0.0.0.0/0 10.131.71.200
!
username salec password .....
radius-client coa host 10.131.71.200 key 2 $ZF5uIVVTIS0tWnw4
radius-server host 10.131.71.200 auth-port 1812 acct-port 1813 default key 2 $ZF5uIVVTIS0tWnw4
radius-server key 2 $ZF5uIVVTIS0tWnw4
snmp-server community ..... rw
snmp-server enable ethe 1/1/1
!
!
no port bootp
!
!
!
interface ethernet 1/1/1
ip address 10.131.71.179 255.255.255.0
no ip dhcp-client enable
!
interface ethernet 1/1/2
dot1x port-control auto
inline power power-limit 15000
!
interface ve 10
ip address 10.0.0.1 255.255.255.0
ip helper-address 1 10.131.71.200
!
interface ve 20
ip address 20.0.0.1 255.255.255.0
ip helper-address 1 10.131.71.200
!
interface ve 30
ip address 30.0.0.1 255.255.255.0
ip helper-address 1 10.131.71.200
!
!
!
!
!
!
!
ip ssh password-authentication no
ip ssh permit-empty-passwd yes
ip ssh interactive-authentication no
!
!
end

""

 

 

Thanks in advance and I apologise for lengthy post

 

 

 

Moderator

Re: Brocade COA Problem

Can you please confirm you are running at least 08020b code on the ICX?

 

Are the logs from manullay tring to perform  a CoA from AT?

 

Did you enable the CoA support in the NAS when you defined it?

 

And did you slected 'Brocade' as the Vendor Name in the NAS definition?


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II

Re: Brocade COA Problem

Hi

Yes I'm running the latest code from the brocade

I am both manually and automatically doing COA, but automatically is not working, thats why I tried manually and its not working either.

Yes I enabled COA on the brocade switch and in the clearpass network access device

Regular Contributor I

Re: Brocade COA Problem

Are you able to redirect the user to download the OnGuard agent? I'd like to display a captive portal on an ICX6450 but it looks like only internal switch web auth is supported on 08.0.30. 

Regards,

Josh
___________
ACMP, ACCP
Occasional Contributor II

Re: Brocade COA Problem

No I wasnt able, I had to use the persistant agent

 

how do you plan on doing the onguard? how will you manage to reconnect users again after updating their health token?

please share your knowledge I  hit a dead end with this brocade switch.

MVP

Re: Brocade COA Problem

I've had a working Brocade CoA to ICX switches (based on OnGuard) working in the lab and my enforcement policy looks the same as yours except I didn't include the NAS-Identifier attribute, I don't believe this is needed.

 

The only differences I can see from my lab configuration is the following additional authentication commands on the switch:

 

auth-order mac-auth dot1x
mac-authentication dot1x-override

This was on an ICX6610 running 08.0.20.

Hope this helps.

David
ACDX #98 | ACMP | ACCP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: