Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Brocade COA Problem

Jump to Best Answer
This thread has been viewed 6 times
  • 1.  Brocade COA Problem

    Posted Apr 09, 2015 12:15 PM

    Hello

    I am trying to do health check for wired users on a brocade ICX 6450 switch.

    By default there's no COA profile for Brocade so I made one, according to Brocade the request needs to have NAS identifier and session.

    Here's the profile I made

    coa-brocade.JPG

    And I used it in an enforcement policy inside the web auth services that I use for health check with the presistant agent.

     

    Here's the services I configured.

    all-services.JPGweb auth services.JPG

    The plan is that, when a user with a non compliant health posture connects, he will be placed in vlan 20, then does the health check, get coa'd and then reconnects and gets vlan 10 which is the authentication vlan.

    And for the mac authentication, it will be used for IP Phones..

    I am facing two problems, the PCs are using their mac addresses as username sometimes although they are configured correctly for dot1x and the phones are doing the opposite, sometimes dot1x although they're mac authentication based

     

    The second problem is that when I try to do COA, I get the following in the log.

    2015-04-09 18:40:09,126[RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:Calling-Station-Id}, error=No values for param=Radius:IETF:Calling-Station-Id
    2015-04-09 18:40:09,127[RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] ERROR Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:Calling-Station-Id value = %{Radius:IETF:Calling-Station-Id}. Searching attributes from battery
    2015-04-09 18:40:09,127[RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:NAS-Identifier}, error=No values for param=Radius:IETF:NAS-Identifier
    2015-04-09 18:40:09,127[RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] ERROR Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:NAS-Identifier value = %{Radius:IETF:NAS-Identifier}. Searching attributes from battery
    2015-04-09 18:40:09,127[RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:NAS-IP-Address}, error=No values for param=Radius:IETF:NAS-IP-Address
    2015-04-09 18:40:09,127[RequestHandler-1-0x7f36dbbfd700 r=W00000016-10-5526ab69 h=3384 c=W00000016-10-5526ab69] ERROR Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:NAS-IP-Address value = %{Radius:IETF:NAS-IP-Address}. Searching attributes from battery

     

     

    So this means COA is not correct, Maybe I understood wrong but I am using variables in the fields of the enforcement profile, if I'm supposed to use actual values, NAD identifier would be what? and calling station id would be mac address of the PC and nas ip address is the switch's ip address?

     

    Also here's the switch's configuration

    "

    ver 08.0.20bT313
    !
    stack unit 1
    module 1 icx6450-24p-poe-port-management-module
    module 2 icx6450-sfp-plus-4port-40g-module
    !
    !
    !
    !
    vlan 1 name DEFAULT-VLAN by port
    !
    vlan 10 name allowed by port
    untagged ethe 1/1/23 to 1/1/24
    router-interface ve 10
    !
    vlan 20 name unallowed by port
    untagged ethe 1/1/3
    router-interface ve 20
    !
    vlan 30 name voice by port
    untagged ethe 1/1/22
    router-interface ve 30
    !
    vlan 99 name parking-vlan by port
    untagged ethe 1/1/21
    router-interface ve 99
    !
    !
    !
    !
    authentication
    auth-default-vlan 99
    no filter-strict-security enable
    re-authentication
    dot1x enable
    dot1x enable ethe 1/1/2
    mac-authentication enable
    mac-authentication enable ethe 1/1/2
    !
    aaa authentication dot1x default radius
    aaa authorization commands 0 default radius
    aaa authorization coa enable
    aaa accounting dot1x default start-stop radius
    boot sys fl sec
    enable snmp config-radius
    enable telnet password .....
    enable super-user-password .....
    hostname brocade
    ip dhcp-server enable
    !
    ip dhcp-server pool allowed-pool
    dhcp-default-router 10.0.0.1
    dns-server 4.2.2.2
    domain-name allowed.brocade.com
    lease 1 0 0
    network 10.0.0.0 255.255.255.0
    deploy
    !
    !
    ip dhcp-server pool unallowed-pool
    dhcp-default-router 20.0.0.1
    dns-server 4.2.2.2
    domain-name unallowed.brocade.com
    lease 1 0 0
    network 20.0.0.0 255.255.255.0
    deploy
    !
    !
    ip dhcp-server pool voice-pool
    dhcp-default-router 30.0.0.1
    dns-server 4.2.2.2
    domain-name voice.brocade.com
    lease 1 0 0
    network 30.0.0.0 255.255.255.0
    deploy
    !
    !
    ip dhcp-server pool parking-vlan
    dhcp-default-router 99.99.99.1
    dns-server 4.2.2.2
    domain-name parking.brocade.com
    lease 1 0 0
    network 99.99.99.0 255.255.255.0
    deploy
    !
    ip dns server-address 163.121.128.134
    ip route 0.0.0.0/0 10.131.71.200
    !
    username salec password .....
    radius-client coa host 10.131.71.200 key 2 $ZF5uIVVTIS0tWnw4
    radius-server host 10.131.71.200 auth-port 1812 acct-port 1813 default key 2 $ZF5uIVVTIS0tWnw4
    radius-server key 2 $ZF5uIVVTIS0tWnw4
    snmp-server community ..... rw
    snmp-server enable ethe 1/1/1
    !
    !
    no port bootp
    !
    !
    !
    interface ethernet 1/1/1
    ip address 10.131.71.179 255.255.255.0
    no ip dhcp-client enable
    !
    interface ethernet 1/1/2
    dot1x port-control auto
    inline power power-limit 15000
    !
    interface ve 10
    ip address 10.0.0.1 255.255.255.0
    ip helper-address 1 10.131.71.200
    !
    interface ve 20
    ip address 20.0.0.1 255.255.255.0
    ip helper-address 1 10.131.71.200
    !
    interface ve 30
    ip address 30.0.0.1 255.255.255.0
    ip helper-address 1 10.131.71.200
    !
    !
    !
    !
    !
    !
    !
    ip ssh password-authentication no
    ip ssh permit-empty-passwd yes
    ip ssh interactive-authentication no
    !
    !
    end

    ""

     

     

    Thanks in advance and I apologise for lengthy post

     

     

     



  • 2.  RE: Brocade COA Problem

    Posted Apr 09, 2015 12:55 PM

    Can you please confirm you are running at least 08020b code on the ICX?

     

    Are the logs from manullay tring to perform  a CoA from AT?

     

    Did you enable the CoA support in the NAS when you defined it?

     

    And did you slected 'Brocade' as the Vendor Name in the NAS definition?



  • 3.  RE: Brocade COA Problem
    Best Answer

    Posted Apr 16, 2015 09:39 AM

    I've had a working Brocade CoA to ICX switches (based on OnGuard) working in the lab and my enforcement policy looks the same as yours except I didn't include the NAS-Identifier attribute, I don't believe this is needed.

     

    The only differences I can see from my lab configuration is the following additional authentication commands on the switch:

     

    auth-order mac-auth dot1x
    mac-authentication dot1x-override

    This was on an ICX6610 running 08.0.20.

    Hope this helps.



  • 4.  RE: Brocade COA Problem

    Posted Apr 14, 2015 02:25 PM

    No I wasnt able, I had to use the persistant agent

     

    how do you plan on doing the onguard? how will you manage to reconnect users again after updating their health token?

    please share your knowledge I  hit a dead end with this brocade switch.



  • 5.  RE: Brocade COA Problem

    Posted Apr 10, 2015 08:36 AM

    Hi

    Yes I'm running the latest code from the brocade

    I am both manually and automatically doing COA, but automatically is not working, thats why I tried manually and its not working either.

    Yes I enabled COA on the brocade switch and in the clearpass network access device



  • 6.  RE: Brocade COA Problem

    Posted Apr 14, 2015 01:38 PM

    Are you able to redirect the user to download the OnGuard agent? I'd like to display a captive portal on an ICX6450 but it looks like only internal switch web auth is supported on 08.0.30.