Security

Hello,

I am having some issues with CoA on a HP E3800.

 I configured the switch to do EAP-radius authentications on port 23 and that works fine. However, when a submit a change status it fails. 

CoA port: 3799 on both ClearPass and Hp switch

show run output :

radius-server host 10.0.0.156 key "arubahptest"

aaa accounting commands interim-update radius
aaa authorization commands radius
aaa authentication port-access eap-radius
aaa port-access authenticator 23
aaa port-access authenticator active

Has anyone else ran into a similar issue ?

* Make sure the IETF:NAS-IP-Address attribute matches the IP you have defined for the device in CPPM
* Make sure you have selected the correct vendor + enabled CoA in the CPPM device

* Make sure CoA is enabled for the CPPM IP on the switch

For HP ProCurve related 802.1X see this great wiki page at FreeRADIUS wiki: http://wiki.freeradius.org/vendor/HP#RFC-3576-Change-of-Authorisation-&-Disconnect-Message

I have checked the following items listed above and still no success. I did check and hp states they support coa. any other gotchas?

HP 3800 supports CoA yes. I have had this working with HP ProCurve 3500/5400/8200 series, but 3800 should be in the same family.

Are you sure have configured CoA (or dynamic-author) correctly on the HP 3800? Can you paste the relevant config?

You can also try and enable accounting on the HP 3800 and see if that changes anything.

Do you see anything in the logging of the HP 3800? ("show log -r")

Also, if all fails, you can check with a packet capture if CPPM is sending the correct request.

This should work , I tested this out with 3800 recently with no issues

hostname "HP-3800-48G-PoEP-4SFP+"
module 1 type j9574y
module 2 type j9574x
radius-server host 10.0.0.156 dyn-authorization
radius-server host 10.0.0.156 key "arubahptest"
radius-server key "arubahptest"
ip default-gateway 10.0.0.254
ip route 0.0.0.0 0.0.0.0 10.0.0.254
ip routing

aaa accounting commands interim-update radius
aaa authorization commands radius
aaa authentication port-access eap-radius
aaa port-access authenticator 23
aaa port-access authenticator active
oobm

Does this switch have multiple IP addresses? What is the value of the Radius:IETF:NAS-IP-Address attribute?

Can you post snippets from the request in the access tracker?

Can you post a screenshot from the related Device configuration in CPPM? (the RADIUS client, being the switch)

If you run:

show radius

 does it say Yes in the DM/CoA column for the server?

There is no firewall between the switch and the server. The ClearPass server is connected to the same switch that the test PC is on. In ClearPass policy manager, the device was added using the correct phrase and the same coa port with correct vendor selected.

HP-3800-48G-PoEP-4SFP+# show radius

Status and Counters - General RADIUS Information

Deadtime(min) : 0
Timeout(secs) : 5
Retransmit Attempts : 3
Global Encryption Key : arubaiswarm
Dynamic Authorization UDP Port : 3799
Source IP Selection : Outgoing Interface

Auth Acct DM/ Time |
Server IP Addr Port Port CoA Window | Encryption Key OOBM
--------------- ---- ---- --- ------ + -------------------------------- ----
10.0.0.156 1812 1813 Yes 300 | arubaiswarm No

Did you add the device in CPPM using the unique IP (/32) or did you add a subnet? (like a /24)

I set up debugging on the switch and got the following output:

HP-3800-48G-PoEP-4SFP+(config)# show debug buffer -r
0155:00:02:03.25 RAD tRadiusR:DISCONNECT REQUEST id: 168 from 10.0.0.156
DROPPED, Event-Timestamp Attribute is either missing or is not current.
0155:00:02:03.25 RAD tRadiusR:DISCONNECT REQUEST id: 168 from 10.0.0.156
received.

Do you have NTP configured on the switch?

Hmm. Maybe you should open up a TAC case at Aruba. Its unclear if ClearPass is sending something incorrectly or if the HP switch is handling the request incorrectly.

Just though I would update this:

I cant remeber which code I was on but after upgrading clearpass to 5.0 the COA with HP worked.