I will try to open a case with Clearpass TAC and Switch TAC, could be the problem because misconfigured in the SW ??
Original Message:
Sent: May 29, 2024 07:32 AM
From: GorazdKikelj
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
There is still TAC support for it.
You can find EOS information at
https://networkingsupport.hpe.com/end-of-life
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: May 29, 2024 06:00 AM
From: MohammadH
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hello,
the last update was Released on Feb 22, 2024, for 5130, is there a way to check if the switch has support with TAC or not ??
I will test it with the old version in another location and see if the same problem happens or not.
Thank you
Original Message:
Sent: May 29, 2024 05:33 AM
From: GorazdKikelj
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
I have 5140 switch on version
[HPE5140]displ version
HPE Comware Software, Version 7.1.070, Release 6343P09
This can be also the problem with this model as it is EOS for some time now.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: May 29, 2024 05:24 AM
From: MohammadH
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hello GorazdKikelj,
I already upgraded the switch 5130 Comware 7 to 7.1.070, Release 3507P18, which version do you use ??
Thank you
Original Message:
Sent: May 29, 2024 05:16 AM
From: GorazdKikelj
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hi Mohhamad.
This looks like Comware FW issue. Can you upgrade Comware to latest version?
On 5140 I see always the same port id.
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: May 29, 2024 05:08 AM
From: MohammadH
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hello @Herman Robers & GorazdKikelj
yes, I can see the better port description under the Input tab:
but the main problem we face is the requests for the same PC come from different ports, I can read the port under the Input tab: every time a different port.
Thank you
Original Message:
Sent: May 29, 2024 03:58 AM
From: Herman Robers
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
That NAS Port is something sent from the switch. You may have a look in Access Tracker, Input tab, to see if there is maybe another field that has a better port description.
I have not seen this before (but didn't do too much with Comware either), so you may reach out to Aruba TAC to see if they know this and know a solution.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 29, 2024 02:01 AM
From: MohammadH
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hello,
We still face the problem of MAC addresses appearing on incorrect ports when in the Switch 5130 and the Access tracker in ClearPass this happens when the Authentication Method is MAC-Auth, with 802.1x I see the correct port.
Example:
every new request comes from a different port for same PC
is there a way to fix this ??
Thank you
Original Message:
Sent: May 08, 2024 02:38 AM
From: GorazdKikelj
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hi Mohammad.
Did you select vendor as H3C in device definition as @FF96 was mentioned?
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: May 07, 2024 03:49 AM
From: MohammadH
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hello,
The problem with MAC addresses appearing on incorrect ports still occurring after i use the
mac-authentication user-name-format mac-address with-hyphen uppercase ###---> for MAC addresses appear on incorrect ports####
any another way to fix it ??
Thank you
Original Message:
Sent: Apr 29, 2024 06:53 AM
From: FF96
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hi,
All related explanations you can find in the user manual - https://networkingsupport.hpe.com/
"For interfaces do I need this command?"
Depends on how you set up your infrastructure
Best Regards.
Original Message:
Sent: Apr 28, 2024 03:32 AM
From: MohammadH
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hello FF96,
Thank you for sharing i will test it this week, I forgot to mention we have IP Phone to connect to PC
I have a question about some commands:
about DHCP snooping I only need it if the DHCP is enabled in the switch correct?
can you explain dot1x how works or for what you use it?
- dot1x quiet-period
- dot1x retry 3
- dot1x timer quiet-period 30
- dot1x timer handshake-period 30
For interfaces do I need this command?
- dot1x max-user 6 // What is the default ?
- dot1x after mac-auth max-attempt 1 // this after mac-auth success the switch will try dot1x again correct ?
- port-security max-mac-count 4 //When will we use it ??
- dhcp snooping binding record // what is do exactly ?
Thank you
Original Message:
Sent: Apr 26, 2024 07:26 AM
From: FF96
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hi, MohammadH
This is my config for Commware.
For interfaces:
port link-type hybrid
port hybrid vlan 1 untagged
mac-vlan enable
stp edged-port
poe enable
undo dot1x handshake
dot1x max-user 4
undo dot1x multicast-trigger
dot1x after-mac-auth max-attempt 1
mac-authentication max-user 4
mac-authentication host-mode multi-vlan
port-security max-mac-count 4
port-security port-mode userlogin-secure-or-mac-ext
dhcp snooping binding record
Radius Scheme:
primary authentication x.x.x.x
primary accounting x.x.x.x
accounting-on enable
key authentication cipher xx
key accounting cipher xx
user-name-format without-domain
nas-ip interface LoopBack0
For Bounce Switch Port:
radius dynamic-author server
client ip x.x.x.x key simple xxxxxx
quit
General config:
dhcp snooping enable
dhcp snooping client-detect
dot1x authentication-method eap
dot1x quiet-period
dot1x retry 3
dot1x timer quiet-period 30
dot1x timer handshake-period 30
dot1x access-user log enable abnormal-logoff failed-login normal-logoff successful-login
#
mac-authentication domain xxxxx
mac-authentication user-name-format mac-address with-hyphen uppercase ###---> for MAC addresses appear on incorrect ports####
#
port-security enable
port-security mac-move permit
port-security access-user log enable failed-authorization mac-learning violation vlan-mac-limit
#
Also, vendor for Commware is: H3C
Original Message:
Sent: Apr 25, 2024 03:12 AM
From: MohammadH
Subject: Help 802.1x activation on HP Comware 7 switch with clearpass... ??
Hello,
we trying to configure the 802.1x activation on the HP Comware 7 switch with Clearpass 6.12.1 the Switch configuration is:
Switch Comware 7:
#
port-security enable
port-security mac-move permit
dot1x authentication-method eap
mac-authentication domain clearpass.radius.tacacs
#
radius scheme Clearpass.radius
primary authentication xxx.xxx.xxx.xxx key simple xxxxxx
primary accounting xxx.xxx.xxx.xxx key simple xxxxxx
user-name-format without-domain
accounting-on enable
#
domain clearpass.radius.tacacs
authentication login hwtacacs-scheme tacacs local
authorization login hwtacacs-scheme tacacs local
accounting login hwtacacs-scheme tacacs local
authorization command hwtacacs-scheme tacacs local
accounting command hwtacacs-scheme tacacs
authentication lan-access radius-scheme clearpass.radius local
authorization lan-access radius-scheme clearpass.radius local
accounting lan-access radius-scheme clearpass.radius local
#
domain default enable clearpass.radius.tacacs
#
Example for the interface:
interface GigabitEthernet1/0/5
port link-type hybrid
port hybrid vlan 1 untagged
mac-vlan enable
stp edged-port
stp tc-restriction
lldp admin-status disable
poe enable
undo dot1x handshake
undo dot1x multicast-trigger
mac-authentication max-user 6
mac-authentication host-mode multi-vlan
port-security port-mode userlogin-secure-or-mac-ext
we have some problems :
1- Clearpass can't Bounce Switch Port doesn't work with Comware 7 it gives an error:
No response from network device
2- MAC addresses appear on incorrect ports
3- Clearpass doesn't receive requests from the switch when I deb the log I see only this error:
Dropped received EAP packet: The packet's Vlan isn't allowed in the port.
do we miss something in the Comware 7 switch ???
Thank you