Security

Hi guys,

 

does someone of you got any expirience with CoA and Mac OS X. 

Today I was at a customer and we configured Onguard. We implemented it wireless and wired so healthchecks can be performed on any client. The customer is using HPE Switches and an Extreme wireless controller.

As dicribed, everythink works fine for WIndows (10) clients. We did the same testing with Mac CLients (wired / wireless) but ended up with same fault.

Client stauts changed and is reported to Clearpass. Clearpass is triggering an CoA and the client is authenticating again (differnt VLAN for healthy / unhelathy clients)

On the wireless controller / switch we can see that the client is in the right VLAN but he starved because of holding a wrong IP address. 

 

What I discovered was that every MAC Client (Mac OS X 10.12.5) we tested act the same. THe clients performs the authentication and after that no DHCP is done. 

 

Again: Does anyone have MAC with ongaurd and CoA up and running? Is there any special setting in MAC OS to change this behaviour?

 

Thanks in advance

 

The wireless controller needs to do a L2 full disconnect. Which CoA/DM profile are you using?

Till now I use the Motorola pre installed CoA.
As I wrote, it works fine for every Windows machine.
Wired I use the predefined HPE coa

Are you using the persistent agent ?
If you are then try using the Agent Bounce option that way you don't need to rely on the CoA

Thanks for the hint. I was playing with this option but i didn't have that in my mind Right now.
I will try this tomorrow at the customer and will come back to you.

Thanks alot

Hi Victor,

 

we tested your solution and it works fine. 

 

Thanks alot again!

Hi,

 

And if we have client that use the disoluble agent? we can't do any bounce?

You won’t be able to use the agent bounce feature with abut you could use RFC-3576 ( Change of Authorization) but of course the Network Access Device needs to support it



Thank you

Victor Fabian

Pardon typos sent from Mobile

we have the same problem as Freddy

We have MACOSx with 802.1x and if it failed do MAC authentication.

 

We have onGuard, with vlan change between healthy and quarantine.

We have a Cisco phone between switch and MACOSx.

 

If we do a bounce port Cisco, doesn't do anything.

If we do a bounce client with Agent not soluble, it's works, change vlan.

But if the client don't like to install the Agent, and choose the soluble agent, the bounce doesn't works and not change vlan.

 

If we remove the Cisco Phone,

we do the bounce port, works ok and change vlan

if the agent do the bounce, works ok and change vlan.

 

As I explain, if we have a phone between Switch and MACOSx, the only solution that we have is to If unplugged the cord on this case???

 

On windows, works all OK.

any help?

 

Regards