Security

 I’ve written a NEW TechNote covering some of the integration possible between CPPM and the HP Provision switches (commonly refereed to as ProCurve). The TechNote at this juncture is not as complete as we’d like but due to some other commitments we wanted to share with you what we have, its not as polished as normal but like I said we wanted to share what we had sooner rather than later. I expect this doc will go through multiple revisions over then next couple of months as we add new content, update what we know, correct what we have.  

Nice! Thanks for setting this up :)

 

We have done a number of HP ProCurve & ClearPass 802.1X/MAC auth (NAC) deployments; for us this Wiki-page from FreeRADIUS has been really useful: http://wiki.freeradius.org/vendor/HP

 

In your document you have been using the 2920 switches; you should really be testing multiple branches of the ProCurve-line because in our experience the 802.1X/MAC-auth behavior is NOT consistent.

 

One thing I'm missing in your document is the usage of RFC4675; "Egress-VLANID"; most recent ProCurve switches support this RFC which enables you to use dynamic VLAN assignment with *tagged* VLAN's. Very useful to use with VoIP-phones etc. This is described in the FreeRADIUS wiki-page. Drop me a message if you want an example ClearPass-config for this.

 

A document describing integration with H3C switches would be very useful as well. We have been running into issues with 802.1X/MAC auth/CoA on H3C switches, the implementation seems quite poor in comparision to ProCurve.

 

Hi Arjan,

 

In reverse, we have just started to work on H3C comware products and will get some thing out soon. As I said in my doc this posted version is not complete but I just wanted to get a start on things to the field. We are also aware of some nuances with H3C and we are engaging there DEV/Support team to better understand these issues.

 

Yes, please send me what you have on tagged vlans, and we can look at adding this in a V2 update later this month.

 

 

Has the Comware guide been released?  I'm not finding anything.

Derek,

 

Its not done I'm afraid. I'd been waiting for the V5/V7 code changes to be delivered with the CoA support. This is mainly out now but I've just not got to it with a lot of focus recently on our up-comming 6.6 release plus some other large internal projects.

 

Is their any specific you want?

I've been using ClearPass with ProVision switches successfully, but am moving our core to Comware and having some issues getting the return attribute(s) right. I'm finding people who get it working with conflicting configurations.




Derek Kuhr
IT Infrastructure Engineer, Think Whole Person Healthcare




T. 402-670-7242
derek.kuhr@thinkhealthcare.org
www.thinkhealthcare.org

IMPORTANT WARNING: This message is intended for the use of the person or entity to which it is addressed and may contain information that is confidential or privileged, the disclosure of which is governed by applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this information is strictly prohibited. If you have received this message by error, please notify us immediately by replying to this email and delete and destroy the related message.

Thanks.

 

before i read it, just making sure v2 hasnt been released? This is still the latest version of the doc??

 

Regards

 

Mike

Mike,

 

I have a V2 in progress but no ready to be pubushed yet...... so your good to read the V1.

Hi Danny,

 

Are you aware of any guides/information for the new HPE (provision) "Captive portal for Clearpass" feature released in the new version 16 of HPE code?

 

Configururing the switch was easy and works fine, but i cant get clearpass policy to work for the guest authentication request from the clearpass login page :(

 

Regards

 

Mike

 

 

 

 

 

 

 

Ding..... I was planning on working on this THIS WEEK to add to the existing DOC and getting it out to the field.... events overtook me and I've been slammed from right-field..... hence why I'm still working 11:30PM PST :-(

 

Next week I'll hopefully get it done..... hopefully.....!!!!

Id be keen to get the clearpass policies once you do ;)

 

I can the mac-auth, and sending back captive portal for unknown device works fine, they can register fine via the portal, but when i click the login, it shows as a webauth from no nas-IP i guess because its the internal  clearpass system doing it so matches no services :\ where as aruba controller shows the log in credentials as a radius auth and works fine.

 

Look forward to your doc, ill keep working in it anyways see if i can figure it our :P

Hi Danny,

 

Is there already an ETA for the Comware technote? I have a Comware CPPM deployment this week as well - a beta technote would be great as well :-).

 

Kind Regards,

 

I'm sorry to say this has been pushed out, no current estimate - Sorry..!!

Create a new thread and we can help you get it working.

Hi

I need to deploy poc.

The scenario is -

2 ccpm 5000 (vm) with 2920 procurve in diffrent location for failover and for local Auth for each branch.

 

Need to implement HP ProCurve & ClearPass 802.1X/MAC-

802.1x for the workstation -verify that the computer in the domain.

and MAC for phone that integrated on the same port with the pc (cisco voip) and other machine like printers etc...

 

Can you provide me some relevant technote and show config example for the switch ?

 

Eyal

 

 

cppm with 2920 procurve switch as HP ProCurve & ClearPass 802.1X/MAC auth.

 

 

Hello Danny,

 

Any ETA on the V2 of this document?

 

Thanks,

Yama

That document is being deprecated. A new Solutions Guide for Wired Policy Enforcement will be published in the next few days.

Available Now!

 

http://community.arubanetworks.com/t5/Security/ClearPass-Solutions-Guide-Wired-Policy-Enforcement/td-p/298161

Awesome! Thank you.