Security

Reply
Occasional Contributor I

COA issue on hp 2920

Hi , 
I'm facing issue with HPE Bounce Host-Port with ClearPass. we received the below error :

"Radius [HPE Bounce Host-Port] failed for client b86b2309fac4. Missing-Attribute." 

Guru Elite

Re: COA issue on hp 2920

Which version of ClearPass?
What version of code are you running in the Aruba switch?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: COA issue on hp 2920

thanks.

ClearPass Policy Manager 6.6.7.96909
HPE Switch version : WB.15.11.0007

Re: COA issue on hp 2920

CoA Port Bounce appears to be introduced in ArubaOS 16.01 for switches. Can you upgrade to the latest release (16.04) and try again?

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
New Contributor

Re: COA issue on hp 2920

I have exactly the same problem...

 

2920 Switch, running 16.04.0009, and every time I send a CoA I get the same error as you.  No amount of debugging the switch provides any insight about what attribute it thinks it's missing.

 

The only difference between my case and yours, so far as I can see, is that I'm using Cisco ISE as the RADIUS Server.  We both get the same error though so presumably this points to a switch problem?

 

The gist of my switch config is...

 

Base-Config-2920(config)# sh ru | inc radius
radius-server host 172.16.34.22 key <Some Pass>
radius-server host 172.16.34.22 dyn-authorization
radius-server host 172.16.34.22 time-window 0
aaa server-group radius "CiscoISE" host <Some IP>
aaa accounting network start-stop radius
aaa authentication port-access eap-radius server-group "CiscoISE"

Base-Config-2920(config)# sh ru | inc aaa
aaa server-group radius "CiscoISE" host <Some IP>
aaa accounting update periodic 1
aaa accounting network start-stop radius
aaa accounting session-id common
aaa authentication port-access eap-radius server-group "CiscoISE"
aaa authentication mac-based chap-radius server-group "CiscoISE"
aaa port-access gvrp-vlans
aaa port-access authenticator 2-24
aaa port-access authenticator 2 quiet-period 30
aaa port-access authenticator 2 unauth-period 30
aaa port-access authenticator 2 logoff-period 86400
aaa port-access authenticator 2 client-limit 3

...

aaa port-access authenticator active
aaa port-access mac-based 2-24
aaa port-access mac-based 2 addr-moves
aaa port-access mac-based 2 logoff-period 86400
aaa port-access mac-based 2 quiet-period 30
aaa port-access mac-based 2 reauth-period 14400

...

aaa port-access 2 controlled-direction in
aaa port-access 2 mixed

 

And ISE is using the following attributes to initiate the CoA;

HP-PORT-BOUNCE-HOST
radius Acct-Session-Id
radius calling-station-id
radius event-timestamp
radius nas-ip-address
radius nas-port

 

The 'error cause' message that gets sent back to the RADIUS Server by the switch says 'missing attribute', but I can't work out which one is missing.

 

Both devices in the same timezone and on the same NTP server.

 

Any clues?!

Occasional Contributor I

Re: COA issue on hp 2920

Hi ,

thanks for your response . i have fixed the issue by adding  three attributes. i attached a screenshot


Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: