Security

Reply
Contributor I
Posts: 52
Registered: ‎03-04-2015

i have dot1x authentication using clear pass with procurve switches COA issues !

i have clear pass with clients connected to procurve switch , it seems that the switch does not support COA service , because once the clients is unhlealthy and need to put it in Quarntine Vlan , the switch does not move its port to this Vlan , untill i disconnect the cable from the client and reconnect it agian !!

 

any solutions for that ?

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: i have dot1x authentication using clear pass with procurve switches COA issues !

Are you issuing a port bounce or agent bounce?

Clients generally will only re-DHCP on link change.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 518
Registered: ‎11-04-2011

Re: i have dot1x authentication using clear pass with procurve switches COA issues !

What type of switch and what firmware are you using?

What configuration did you put in? Check https://ase.arubanetworks.com/solutions/id/137 to generate some code.

What do you use to generate the CoA? ClearPass?

 

The CoA port-bounce was introduced in 16.01 if I remember correct. So if CoA works, but the port-bounce does not, upgrading may help.

If CoA does not work at all (ClearPass shows 'failed' after a timeout); check that you have your RADIUS server defined for CoA on the switch (dyn-authorization) and that either the clock is set correct or you put the statement: 'radius-server host <your_server_ip> time-window 0' in.

 

With the correct firmware and configuration, this is expected to work without any issue.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Contributor I
Posts: 52
Registered: ‎03-04-2015

Re: i have dot1x authentication using clear pass with procurve switches COA issues !

here is the configuration :

 

radius-server host 10.0.0.238 acct-port 1813 key "ad-tech123"
aaa authentication port-access eap-radius
aaa port-access gvrp-vlans
aaa port-access authenticator 2-4,10-15
aaa port-access authenticator 2 tx-period 5
aaa port-access authenticator 2 server-timeout 3
aaa port-access authenticator 2 max-requests 3
aaa port-access authenticator 2 reauth-period 86000
aaa port-access authenticator 2 auth-vid 10
aaa port-access authenticator 2 unauth-vid 3021
aaa port-access authenticator 2 logoff-period 86000
aaa port-access authenticator 2 client-limit 2
aaa port-access authenticator active
aaa port-access supplicant 2
aaa port-access 2 controlled-direction in

 

its port bounce , since the agent repeat the helth check but the switch doesn't switch the port to another vlan !

 

some any body have a template for procurve with clear pass or recpomended version for the switch , i have also 3com 4400 & 4200 , is there any problem with them ?

MVP
Posts: 518
Registered: ‎11-04-2011

Re: i have dot1x authentication using clear pass with procurve switches COA issues !

The RADIUS CoA Port-bounce is a feature that was added last year. As I can see quickly, the last firmware release for the 4400 was in 2007, so I believe that is why it's not working.

 

What you can try in this case is an Onguard Agent bounce. That feature bounces the port from the client side.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Contributor I
Posts: 52
Registered: ‎03-04-2015

Re: i have dot1x authentication using clear pass with procurve switches COA issues !

Iam wotking now on procurve 2828 , what is onguard agent bounce ? is it the health checker ?

Contributor I
Posts: 52
Registered: ‎03-04-2015

Re: i have dot1x authentication using clear pass with procurve switches COA issues !

i upgraded the firmeware to latest version on procurve 2510 , the command # radius-server host x.x.x.y dyn-authorization   

 

is not supported and still not working !!

MVP
Posts: 518
Registered: ‎11-04-2011

Re: i have dot1x authentication using clear pass with procurve switches COA issues !

Tatal,

 

In general the more recent the switches are, the more likely it is that features like CoA are working (properly). In the same time, the higher range switches tend to offer more functionality.

 

The 2510 is a pretty old, and retired switch. I see documentation for that switch going back to 2006 (over 10 years ago). If you need to know what is supported, I'd suggest that you check the release notes for the switch and version that you want to run. If the command is unavailable, it is a good indication that a feature is unavailable in your version (or platform).

 

If you can't find the answer, you can contact HPE support for a definitive answer. Sorry that I cannot help you further.

 

Herman

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: