Security

 View Only
  • 1.  Clearpass profiling issue with Huawei Switches | CoA Radius_dynauth

    Posted 30 days ago

    Hello everyone,

    yesterday, we successfully connected cppm with huawei switches and can now dynamically assign VLANs to access ports.

    It took us a while to figure out, that the ports have to be "hybrid" for this to work (with every possible to assign vlan in "untagged" and default vlan applied).

    After some successful tests we experienced an issue with profiling.

    What we did:

    We exported a H3C Bounce profile (RADIUS_DynAuthZ) and edited it like this:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
      <TipsHeader exportTime="Thu Oct 10 13:27:25 CEST 2024" version="6.11"/>
      <RadiusCOATemplates>
        <RadiusCOATemplate vendorId="2011" templateType="CoA" displayName="Huawei - Bounce Switch Port" name="Bounce-Host-Port-Huawei">
          <AttributeList>
            <Attribute inputRequired="Not_Required" value="%{Radius:IETF:Calling-Station-Id}" name="Calling-Station-Id" type="Radius:IETF"/>
            <Attribute inputRequired="Not_Required" value="user-command=1" name="Huawei-HW-Ext-Specific" type="Radius:Huawei"/>
          </AttributeList>
        </RadiusCOATemplate>
      </RadiusCOATemplates>
    </TipsContents>

    imported it back.

    We made a Enforcement-Profile to bounce switch port:

    We unplugged and removed a test device (dot1x authenticated notebook) from endpoint database.
    After reconnecting the device it was up nearly instantly and dot1x auth happened. But it seems like the profiling failed and no CoA occured.
    There was no entry in endpoint database.
    Did we miss something crucial? 
    Any help would be highly appreciated. :) <3
    Kind Regards
    Marc


  • 2.  RE: Clearpass profiling issue with Huawei Switches | CoA Radius_dynauth
    Best Answer

    Posted 30 days ago

    Hi

    In most cases profiling is based on DHCP information sent to ClearPass. So to be able to profile a client with DHCP ClearPass must receive the packets.

    Verify the following:

    • Client has DHCP configured, not static IP
    • On the client VLAN, IP Helper is configured for ClearPass, in addition to the normal DHCP server
    • Firewall ports for the DHCP packets are opened as needed
    • Some switches can send the DHCP profiling data in RADIUS Accounting packets and replace the IP Helper. This is true for Aruba CX switches with newer firmware and also some Cisco switches



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Clearpass profiling issue with Huawei Switches | CoA Radius_dynauth

    Posted 30 days ago
    Edited by Hecatonchires 30 days ago

    This...! Some of my colleagues changed gateway routers and didn´t implement the helper addresses ... 

    Thanks for pointing this out, which lead to proper research and fix of the issue - (followed by a very satisfying beat up of the culpits ;) - just kidding)