Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass and Dell EMC S3100 switches - CoA and radius attribute for tagged VLAN

This thread has been viewed 7 times
  • 1.  ClearPass and Dell EMC S3100 switches - CoA and radius attribute for tagged VLAN

    Posted Jul 17, 2024 05:24 PM

    I'm currently working on integrating a Dell S3100 switch with ClearPass for 802.1X and MAB. I couldn't find a specific template for this switch, so I built the configuration based on available public documentation. However, I'm encountering two issues that I can't seem to resolve:

    1. Change of Authorization (CoA) Not Working: I configured the vendor as Cisco (I also tried IETF), but CoA does not work. Has anyone faced this issue or have any suggestions on the correct vendor settings?

    2. VLAN Configuration Issues:

      • We have a data VLAN that is untagged on VLAN 100.
      • The voice VLAN is tagged on VLAN 200.

      I used the "Tunnel-Private-Group-ID" attribute to set the VLAN value for the untagged data VLAN, but I couldn't find the correct attribute for the tagged VLAN. I tried different options for IETF "Egress-VLANID" and IETF "Egress-VLAN-Name" with no success.

    Does anyone have a template for this switch or know the right vendor name and RADIUS attributes I can use to set both tagged and untagged VLANs as well as enable CoA?

    Any help or guidance would be greatly appreciated!

    Thanks in advance



  • 2.  RE: ClearPass and Dell EMC S3100 switches - CoA and radius attribute for tagged VLAN

    Posted Jul 18, 2024 07:54 AM

    This is probably a question that you can better ask on a Dell forum or with Dell support, unless you are lucky that someone else is using these switches and have done the same. Switch vendors can implement or not implement parts of the standards, so some vendors don't implement CoA, or just partially. Same for tagged/multi VLAN, that is not widely implemented and different vendors have different approaches. The documentation on the S3100 that I could find with an internet search was not really clear, so I think if you ask on a product specific forum or with the vendor's technical support, you may have better chances. If you know what attributes to return, it's trivial to let ClearPass return those (thanks to open standards). You may need to add dictionary items, if vendor specific attributes are used, but also that is doable.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------