Security

Hi,

 

1st question

 

Has anyone managed to get clearpass CoA functionality working with either an HP 5500 or 5130 series switch? ( that's comware 5 and comware 7 operating systems respectively)

 

The glossy brochure for the 5130 says its supports CoA but nowhere in the docn does it say what you've got to do to get it working.

 

Apparently there's a patch being developed for the 5500 series to fix an issue when working with clearpass but its not been rolled out yet. HP say ther 5130 should just work when using port 1812

 

 2nd question.

 

When I define a switch as supporting CoA on a particular port. What sort of checks does clearpass make to ascertain whether the switch actually does support CoA. e.g. I defined an HP 5130 as supporting Coa on port 1812 but when I authenticate via a port on that switch clearpass doesn't even give me the option to perform a CoA on the session

 

Selecting a (wireless) session from an aruba controller which I've set up to enable CoA does give me the option to perform a CoA operation

 

 

Rgds

Alex

 

There is no check per se on Clearpass for this. When you add the network device, you have to select CoA in the NAD device screen.  In addition, port 1812 is for RADIUS.  The default port for CoA is 3799.  Now...of you have successfully process auths from the HP switch, you can test CoA by going into Access Tracker, finding the authentication record, and then clicking on the Change Status button 

 

In Clearpass, HP has 2 specific CoA actions - generic CoA and change VLAN.  You should be allowed to select these in the Change Status screen.

 

Hi thanks for the reply.

 

I'm  not talking about HP Procurve switches, I'm talking about Hp rebadged H3C switches running comware 5 or comware 7. The procurve switches do run CoA on 3799. The comware 5 & comware 7 switches do different things.

 

If you have their virtual switch VSR ( running comware 7.1), then you can enable CoA and change the port it listens on through specific radius commands from the cli.

 

If you have a comware 7 router then the same commands appear

 

If you have a comware 5 or comware 7 switch ( e.g. 5500HI or 5130 EI) then it appears that CoA is supported as an extension of the radius server and you pump commands into port 1812. Theres no enable/disable functionality, no ability to change the port it listens on and no <expletive> documentation other than a 1 liner in the switch description  glossy saying it supports RFC.... - CoA

 

The issue I had was that having configured our Aruba Controller to support CoA, when I select a clearpass "session" associated with a wireless user, I can see a change status option and can select an Aruba Terminate Session option... so everything does what is expected.

 

However this doesn't seem to be the case with the comware stuff. Even though I've defined an HP 5500/5130 switch as supporting CoA on port 1812 within clearpass, when I look at the session, you can't even select CoA under change status.

 

Quesiton is why? Whats going on in the background that makes clearpass think  you can perform a CoA on an Aruba bit of kit but not on an HP one. Is there some form of dialogue between clearpass and the end switch that is missing on the comware side of things?

 

Rgds

Alex

 

 

It is unlikely that CoA will be fully implemented on Comware 5 Switches at this time. On the other hand, it is starting to appear in the Comware 7 Switches.

 

Attached is a document to help implement CoA on the 5130EI switch series.

 

We are working to change the Cisco VSAs to ours. We are also working to add this functionality onto other Comware 7 switches including 5130HI and 5510HI.

 

I hope this helps those who are trying to implement this.

I've got CoA running on R3111P03 of Comware 7 on a 5130 switch, Not running it out in the wild yet ( prodn release we're using is R3109P09). Was a long time getting there due to using username as part of the selection process for a session to point CoA at. Good news about changing the VSAs. Did grumble about the fact that HP kit was expecting to be treated as a Cisck box.

 

So if youre changing VSAs to HP ones, what's the  timescales? Don't want to upgrade firmeware to R3111P03 if real soon there's another upgrade that means I need to change my clearpass config as well.

 

Re comware 5 and CoA, I was led to believe that Coa was gonig to be back ported. .... not much of an issue really now as we've almost got rid of all our Comware % kit apart from the NJ5000 baby switches.

 

 

Hi,

o.k. read th doc, its not quite right. It's valid for the dev (D3109) code I was using but not for the R3111P03 code. Thankfully you've removed the username requirement from the session selection process, so you just have to specify the Cisco VSA and the calling-station-id. Still a  long way to go re CoA compared to ProVision switches.

 

A

5130EI R code (5130_EI_7.10.R3113P02) now supports the following CoA features:

 

• CoA
• CoA Disconnect Message
• CoA Port Bounce
• CoA Port Shutdown
• Internal Captive Portal (RADIUS auth)
• External Captive Portal (include MAC address in redirect)

See the R3113P02 release notes for detailed info regarding features listed above.

 

See attached for Radius Dictionary .txt file - it can be imported into ClearPass.

 

Hope this helps. 

 

Feel free to attach the file as shown below... 

Airheads doesn't allow .xml files...

My suggestion for you is to rename it for this process as a .txt file, thats what I've done over the years.

 

 

Thanks. 

 

Done.  See main reply for attached .txt file.

 

>5130EI R code (5130_EI_7.10.R3113P02) now supports the following CoA
features:

>CoA CoA Disconnect Message CoA Port Bounce CoA Port Shutdown


Yup its had it for a while .... BTW I'm running R3111P03


Problem is I have to set the switch type to be Cisco to use my CoA
profiles, If there's some xml to let me actually use CoA for H23C defined
devcies that would be great

A

So not sure if a radius xml file is needed, clearpass already recognises the H3C VSA dictionary

A