Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

COA issue on hp 2920

This thread has been viewed 7 times

  • 1.  COA issue on hp 2920

    Posted Oct 19, 2017 04:37 AM

    Hi , 
    I'm facing issue with HPE Bounce Host-Port with ClearPass. we received the below error :

    "Radius [HPE Bounce Host-Port] failed for client b86b2309fac4. Missing-Attribute." 



  • 2.  RE: COA issue on hp 2920

    EMPLOYEE
    Posted Oct 19, 2017 07:42 AM
    Which version of ClearPass?
    What version of code are you running in the Aruba switch?


  • 3.  RE: COA issue on hp 2920

    Posted Oct 19, 2017 08:21 AM

    thanks.

    ClearPass Policy Manager 6.6.7.96909
    HPE Switch version : WB.15.11.0007



  • 4.  RE: COA issue on hp 2920

    EMPLOYEE
    Posted Oct 20, 2017 09:04 AM

    CoA Port Bounce appears to be introduced in ArubaOS 16.01 for switches. Can you upgrade to the latest release (16.04) and try again?



  • 5.  RE: COA issue on hp 2920

    Posted Oct 20, 2017 09:37 AM

    I have exactly the same problem...

     

    2920 Switch, running 16.04.0009, and every time I send a CoA I get the same error as you.  No amount of debugging the switch provides any insight about what attribute it thinks it's missing.

     

    The only difference between my case and yours, so far as I can see, is that I'm using Cisco ISE as the RADIUS Server.  We both get the same error though so presumably this points to a switch problem?

     

    The gist of my switch config is...

     

    Base-Config-2920(config)# sh ru | inc radius
    radius-server host 172.16.34.22 key <Some Pass>
    radius-server host 172.16.34.22 dyn-authorization
    radius-server host 172.16.34.22 time-window 0
    aaa server-group radius "CiscoISE" host <Some IP>
    aaa accounting network start-stop radius
    aaa authentication port-access eap-radius server-group "CiscoISE"

    Base-Config-2920(config)# sh ru | inc aaa
    aaa server-group radius "CiscoISE" host <Some IP>
    aaa accounting update periodic 1
    aaa accounting network start-stop radius
    aaa accounting session-id common
    aaa authentication port-access eap-radius server-group "CiscoISE"
    aaa authentication mac-based chap-radius server-group "CiscoISE"
    aaa port-access gvrp-vlans
    aaa port-access authenticator 2-24
    aaa port-access authenticator 2 quiet-period 30
    aaa port-access authenticator 2 unauth-period 30
    aaa port-access authenticator 2 logoff-period 86400
    aaa port-access authenticator 2 client-limit 3

    ...

    aaa port-access authenticator active
    aaa port-access mac-based 2-24
    aaa port-access mac-based 2 addr-moves
    aaa port-access mac-based 2 logoff-period 86400
    aaa port-access mac-based 2 quiet-period 30
    aaa port-access mac-based 2 reauth-period 14400

    ...

    aaa port-access 2 controlled-direction in
    aaa port-access 2 mixed

     

    And ISE is using the following attributes to initiate the CoA;

    HP-PORT-BOUNCE-HOST
    radius Acct-Session-Id
    radius calling-station-id
    radius event-timestamp
    radius nas-ip-address
    radius nas-port

     

    The 'error cause' message that gets sent back to the RADIUS Server by the switch says 'missing attribute', but I can't work out which one is missing.

     

    Both devices in the same timezone and on the same NTP server.

     

    Any clues?!



  • 6.  RE: COA issue on hp 2920
    Best Answer

    Posted Oct 22, 2017 01:29 AM
      |   view attached

    Hi ,

    thanks for your response . i have fixed the issue by adding  three attributes. i attached a screenshot