Security

 View Only
Expand all | Collapse all

Clearpass Endpoint unknown = CoA bounce

This thread has been viewed 28 times
  • 1.  Clearpass Endpoint unknown = CoA bounce

    Posted Jan 02, 2023 09:06 AM
    Dear Experts, 

    One of the customers want to achieve the following. They are already doing it successfully in PulseSecure but not sure how to achieve the same workflow in CPPM

    1) Device gets added to Endpoint as known after successful authentication
    2) Port information from Cisco/huawei switch is not accurate. Its not showing the port information correctly,
    3) Customer wants to disapprove an endpoint so that if they change its status from known to unknow, it should trigger the CoA so that the device gets re-authenticated (mac auth) and this time matches the rule where it says if endpoint status is unknown = deny access profile. 

    How to achieve item# 3 in the most efficient manner? can someone advise?

    ------------------------------
    owais
    ------------------------------


  • 2.  RE: Clearpass Endpoint unknown = CoA bounce

    Posted Jan 02, 2023 09:54 AM
    Does a manual CoA from Access Tracker (Change Status) work for these devices/switches?

    If that works, easiest may be an API call to ClearPass to 1) change the endpoint status to Unknown, then wait few seconds and 2) Send CoA for the client.
    I don't know how time critical this is, but you could also consider periodic reauthentication, let's say every hour or even 30 minutes; then either static on the switch configuration or use the IETF:Session-Timeout to send the reauthentication interval dynamically from your policy.

    I'm not aware of an automatic CoA if an Endpoint attribute is changed by a ClearPass admin. As another option, the admin that changes the endpoint may manually trigger a CoA after changing the attribute and determining that this is time-critical. To do that search by Client MAC in Access Tracker and trigger a 'Change Status'.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Clearpass Endpoint unknown = CoA bounce

    Posted Jan 02, 2023 10:03 AM
    Dear Herman,

    Customer is ok for manual CoA but clearpass doesn't have huawei coa template. Nor i could find on internet. Tried with hw-ext-specific=user-command=2 (tried 1 and 3 also) with calling station id but it didnt work. Can you advise how to get the coa template for huawei switches? If there is any working config that you can help with is highly appreciated





  • 4.  RE: Clearpass Endpoint unknown = CoA bounce

    Posted Jan 02, 2023 11:11 AM
    You may try with vendor setting Cisco if that works, some vendors just mimic Cisco. If that doesn't work you could check the switch documentation or contact their support to understand if CoA is supported at all, and if so, what attributes need to be sent. Once you know that you can probably create your own dictionary, and Aruba Support may be able to assist you with that if you have the information from Huawei and you can't make that work yourself.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Clearpass Endpoint unknown = CoA bounce

    Posted Jan 02, 2023 11:18 AM
    What i dnt understand is that we are not getting any confirmation from community or Aruba itself if they have ever done any coa implementation for Huawei.





  • 6.  RE: Clearpass Endpoint unknown = CoA bounce

    Posted Jan 02, 2023 11:36 AM
    I have not personally, and think Huawei is more present in some regions but not in others. But because ClearPass is so flexible, open and you can create your own dictionaries, it's very likely that it works (if the switch supports CoA), it just may be harder to find the right person who implemented this, and is willing to share, and reads this message. There are many integrations that work without Aruba even knowing about it, because ClearPass is built on open standards. You may be even more successful in the forums for your switch. The screenshots in this example have CoA ticked, so suggest that it would work.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Clearpass Endpoint unknown = CoA bounce

    Posted Jan 02, 2023 11:47 AM
    Yup understood. Currently we have requested customer to check with oem to find out the coa qv pairs.







  • 8.  RE: Clearpass Endpoint unknown = CoA bounce

    Posted Jan 03, 2023 05:39 AM
    As Herman said, yes the Cisco CoA attributes. What switches are you using ? Have successfully used CoA and 5130 switches. These devices were designed to be Cisco replacements so CoA certainly works
    A

    Sent from my iPhone




  • 9.  RE: Clearpass Endpoint unknown = CoA bounce

    Posted Jan 03, 2023 07:04 AM
    5130 is H3C. Or do they have the same model in huawei also? But h3c has a seperate coa template in cppm.

    Customer already checked with cisco template but i didnt work. We are currently checking and i saw a missing radius authorization command. Lets see if fixing that works





  • 10.  RE: Clearpass Endpoint unknown = CoA bounce