I am trying to do health check for wired users on a brocade ICX 6450 switch.
By default there's no COA profile for Brocade so I made one, according to Brocade the request needs to have NAS identifier and session.
Here's the profile I made
And I used it in an enforcement policy inside the web auth services that I use for health check with the presistant agent.
Here's the services I configured.
The plan is that, when a user with a non compliant health posture connects, he will be placed in vlan 20, then does the health check, get coa'd and then reconnects and gets vlan 10 which is the authentication vlan.
And for the mac authentication, it will be used for IP Phones..
I am facing two problems, the PCs are using their mac addresses as username sometimes although they are configured correctly for dot1x and the phones are doing the opposite, sometimes dot1x although they're mac authentication based
The second problem is that when I try to do COA, I get the following in the log.
So this means COA is not correct, Maybe I understood wrong but I am using variables in the fields of the enforcement profile, if I'm supposed to use actual values, NAD identifier would be what? and calling station id would be mac address of the PC and nas ip address is the switch's ip address?
Also here's the switch's configuration
ver 08.0.20bT313!stack unit 1module 1 icx6450-24p-poe-port-management-modulemodule 2 icx6450-sfp-plus-4port-40g-module!!!!vlan 1 name DEFAULT-VLAN by port!vlan 10 name allowed by portuntagged ethe 1/1/23 to 1/1/24router-interface ve 10!vlan 20 name unallowed by portuntagged ethe 1/1/3router-interface ve 20!vlan 30 name voice by portuntagged ethe 1/1/22router-interface ve 30!vlan 99 name parking-vlan by portuntagged ethe 1/1/21router-interface ve 99!!!!authenticationauth-default-vlan 99no filter-strict-security enablere-authenticationdot1x enabledot1x enable ethe 1/1/2mac-authentication enablemac-authentication enable ethe 1/1/2!aaa authentication dot1x default radiusaaa authorization commands 0 default radiusaaa authorization coa enableaaa accounting dot1x default start-stop radiusboot sys fl secenable snmp config-radiusenable telnet password .....enable super-user-password .....hostname brocadeip dhcp-server enable!ip dhcp-server pool allowed-pooldhcp-default-router 10.0.0.1dns-server 126.96.36.199domain-name allowed.brocade.comlease 1 0 0network 10.0.0.0 255.255.255.0deploy!!ip dhcp-server pool unallowed-pooldhcp-default-router 188.8.131.52dns-server 184.108.40.206domain-name unallowed.brocade.comlease 1 0 0network 220.127.116.11 255.255.255.0deploy!!ip dhcp-server pool voice-pooldhcp-default-router 18.104.22.168dns-server 22.214.171.124domain-name voice.brocade.comlease 1 0 0network 126.96.36.199 255.255.255.0deploy!!ip dhcp-server pool parking-vlandhcp-default-router 188.8.131.52dns-server 184.108.40.206domain-name parking.brocade.comlease 1 0 0network 220.127.116.11 255.255.255.0deploy!ip dns server-address 18.104.22.168ip route 0.0.0.0/0 10.131.71.200!username salec password .....radius-client coa host 10.131.71.200 key 2 $ZF5uIVVTIS0tWnw4radius-server host 10.131.71.200 auth-port 1812 acct-port 1813 default key 2 $ZF5uIVVTIS0tWnw4radius-server key 2 $ZF5uIVVTIS0tWnw4snmp-server community ..... rwsnmp-server enable ethe 1/1/1!!no port bootp!!!interface ethernet 1/1/1ip address 10.131.71.179 255.255.255.0no ip dhcp-client enable!interface ethernet 1/1/2dot1x port-control autoinline power power-limit 15000!interface ve 10ip address 10.0.0.1 255.255.255.0ip helper-address 1 10.131.71.200!interface ve 20ip address 22.214.171.124 255.255.255.0ip helper-address 1 10.131.71.200!interface ve 30ip address 126.96.36.199 255.255.255.0ip helper-address 1 10.131.71.200!!!!!!!ip ssh password-authentication noip ssh permit-empty-passwd yesip ssh interactive-authentication no!!end
Thanks in advance and I apologise for lengthy post
Can you please confirm you are running at least 08020b code on the ICX?
Are the logs from manullay tring to perform a CoA from AT?
Did you enable the CoA support in the NAS when you defined it?
And did you slected 'Brocade' as the Vendor Name in the NAS definition?
I've had a working Brocade CoA to ICX switches (based on OnGuard) working in the lab and my enforcement policy looks the same as yours except I didn't include the NAS-Identifier attribute, I don't believe this is needed.
The only differences I can see from my lab configuration is the following additional authentication commands on the switch:
auth-order mac-auth dot1xmac-authentication dot1x-override
This was on an ICX6610 running 08.0.20.
Hope this helps.
No I wasnt able, I had to use the persistant agent
how do you plan on doing the onguard? how will you manage to reconnect users again after updating their health token?
please share your knowledge I hit a dead end with this brocade switch.
Yes I'm running the latest code from the brocade
I am both manually and automatically doing COA, but automatically is not working, thats why I tried manually and its not working either.
Yes I enabled COA on the brocade switch and in the clearpass network access device
Are you able to redirect the user to download the OnGuard agent? I'd like to display a captive portal on an ICX6450 but it looks like only internal switch web auth is supported on 08.0.30.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.