Security

Reply
Occasional Contributor II
Posts: 15
Registered: ‎10-31-2014

Clearpass CoA issue with HP

Hello,

I am having some issues with CoA on a HP E3800.

 I configured the switch to do EAP-radius authentications on port 23 and that works fine. However, when a submit a change status it fails. 

CoA port: 3799 on both ClearPass and Hp switch

 

 

show run output :

radius-server host 10.0.0.156 key "arubahptest"

aaa accounting commands interim-update radius
aaa authorization commands radius
aaa authentication port-access eap-radius
aaa port-access authenticator 23
aaa port-access authenticator active

 

Change status.PNG

Failed.PNG

 

Has anyone else ran into a similar issue ?

Guru Elite
Posts: 7,853
Registered: ‎09-08-2010

Re: Clearpass CoA issue with HP


Did you verify that the switch supports it?

Also, most switches require that you enable CoA.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 4,020
Registered: ‎07-20-2011

Re: Clearpass CoA issue with HP

2014-11-05 15_23_01-ClearPass Policy Manager - Aruba Networks.png

 

2014-11-05 15_24_49-vendor_HP.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 130
Registered: ‎06-11-2013

Re: Clearpass CoA issue with HP

* Make sure the IETF:NAS-IP-Address attribute matches the IP you have defined for the device in CPPM
* Make sure you have selected the correct vendor + enabled CoA in the CPPM device

* Make sure CoA is enabled for the CPPM IP on the switch

 

For HP ProCurve related 802.1X see this great wiki page at FreeRADIUS wiki: http://wiki.freeradius.org/vendor/HP#RFC-3576-Change-of-Authorisation-&-Disconnect-Message


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Occasional Contributor II
Posts: 15
Registered: ‎10-31-2014

Re: Clearpass CoA issue with HP

I have checked the following items listed above and still no success. I did check and hp states they support coa. any other gotchas?

MVP
Posts: 130
Registered: ‎06-11-2013

Re: Clearpass CoA issue with HP

HP 3800 supports CoA yes. I have had this working with HP ProCurve 3500/5400/8200 series, but 3800 should be in the same family.

 

Are you sure have configured CoA (or dynamic-author) correctly on the HP 3800? Can you paste the relevant config?

 

You can also try and enable accounting on the HP 3800 and see if that changes anything.

 

Do you see anything in the logging of the HP 3800? ("show log -r")

 

Also, if all fails, you can check with a packet capture if CPPM is sending the correct request.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
MVP
Posts: 4,020
Registered: ‎07-20-2011

Re: Clearpass CoA issue with HP

This should work , I tested this out with 3800 recently with no issues

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 15
Registered: ‎10-31-2014

Re: Clearpass CoA issue with HP

hostname "HP-3800-48G-PoEP-4SFP+"
module 1 type j9574y
module 2 type j9574x
radius-server host 10.0.0.156 dyn-authorization
radius-server host 10.0.0.156 key "arubahptest"
radius-server key "arubahptest"
ip default-gateway 10.0.0.254
ip route 0.0.0.0 0.0.0.0 10.0.0.254
ip routing

aaa accounting commands interim-update radius
aaa authorization commands radius
aaa authentication port-access eap-radius
aaa port-access authenticator 23
aaa port-access authenticator active
oobm

MVP
Posts: 130
Registered: ‎06-11-2013

Re: Clearpass CoA issue with HP

Does this switch have multiple IP addresses? What is the value of the Radius:IETF:NAS-IP-Address attribute?

 

Can you post snippets from the request in the access tracker?


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Occasional Contributor II
Posts: 15
Registered: ‎10-31-2014

Re: Clearpass CoA issue with HP

ssss.PNG

Search Airheads
Showing results for 
Search instead for 
Did you mean: