01-09-2016 04:00 AM
been doing some ClearPass work on a NAC setup with HP switches (26xx and 23xx series). the technote have been very helpfull.
in the end i did end up with the issue the technote describes*. when doing both MAC and dot1x then at some point you can't do CoA anymore. ClearPass seems to believe the switch can't do CoA so it greys out the option. If i just do MAC or dot1x it works fine.
as the technote is already some months old and im sure there is some heavy HP switch / Aruba CPPM work being done has anyone found a full solution for this? the mentioned work around is limited. someone perhaps already has a bug ID or such, with time line on solution?
First, we sometimes lose the capability to send a CoA, CPPM no longer believes the NAD is capable, so, CoA option is not available in Access Tracker entry. We narrowed this down to the fact that HP sends 802.1x request and MAB request at the same time and it appears like this confuses CPPM if we send an ACCEPT to both. It should be noted that on initial auth, their is no issue, but if we send a CoA, we see an 802.1x and MAB request come in and that is where the problem occurs.