Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Switch Dell N2024 CoA

This thread has been viewed 46 times
  • 1.  Switch Dell N2024 CoA

    Posted May 26, 2023 09:27 AM

    Hello guys,

    I have configured Dell switch N2024 with 802.1X, Authc, authz, accounting and dyn-author, in ClearPass side I add this switch as IETF device and create a profile named Dell CoA using IETF CoA default from system.

    The authentication it's occurred perfectly, but when I will in change status via access tracker I unable send someone CoA actions, I remove configuration from switch e reinsert, but doesn't work.

    The firmware that using is 6.7.1.21.

    Any ideias?

    Thank you.



  • 2.  RE: Switch Dell N2024 CoA

    EMPLOYEE
    Posted May 26, 2023 06:43 PM

    i think your clearpass configuration is fine. In the past i had lots of issues with Dell switches and most of them caused by the switch firmware.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Switch Dell N2024 CoA

    Posted May 29, 2023 10:14 AM

    I will to check if has other firmware version.

    I let you know.




  • 4.  RE: Switch Dell N2024 CoA

    Posted Jun 28, 2023 10:16 AM

    I update the switch to newest version and the behavior it's same.

    In packet capture I can see that switch send many attributes, User-Name, Calling-Station-Id, NAS-Port, NAS-IP,  You know if CPPM need to receveid some special attribute ?


    Thanks,




  • 5.  RE: Switch Dell N2024 CoA

    EMPLOYEE
    Posted Jun 28, 2023 07:36 PM

    i suggest to do a pcap on the switch to see if the CoA packets that clearpass sends, are received. 



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 6.  RE: Switch Dell N2024 CoA

    Posted Jun 28, 2023 07:41 PM

    When I will to do COA via access tracker I can't do.

    Radiu Dyn is grayed out as image below:

    Thnaks,




  • 7.  RE: Switch Dell N2024 CoA

    EMPLOYEE
    Posted Jun 28, 2023 07:43 PM

    are you referencing a CoA type of enforcement profile? if so please paste the screen shot.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 8.  RE: Switch Dell N2024 CoA

    Posted Jun 28, 2023 08:43 PM

    I added this switch as IETF vendor and created coa profiles using IETf standard from templates below:

    Tks,




  • 9.  RE: Switch Dell N2024 CoA

    EMPLOYEE
    Posted Jun 29, 2023 03:04 AM

    sure so what is the enforcement profile that you use? is it this? if not try using it.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 10.  RE: Switch Dell N2024 CoA

    Posted Jun 29, 2023 08:16 AM

    Yes, I used this profile but doesn't work, so I tryed to use the other profile bur the behavior it's equal.

    Thanks,




  • 11.  RE: Switch Dell N2024 CoA
    Best Answer

    Posted Jul 03, 2023 07:38 AM

    Do you have accounting enabled on your switch?

    Do you have Insight & Log interrim accounting packets enabled on ClearPass?

    If not, do so and try again. If RADIUS Dynamic Authorization is greyed out in Access Tracker, most likely there is no active session known.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 12.  RE: Switch Dell N2024 CoA

    Posted Jul 05, 2023 01:23 PM

    Hi Herman,

    Acct is enabled in switch and ClearPass.

    See the Radius configuration below.

    I opened a tac for to investigate.

    Regards,




  • 13.  RE: Switch Dell N2024 CoA

    Posted Jul 05, 2023 03:01 PM

    Hello Herman, thanks a lot.
    One Clearpass member was be with acct disabled, after enabled acct the Radius COA of profile inside service works.

    But when I will to do COA manually via change status RADIUS Dyn-Autho continue greyed out.

    Any idea?




  • 14.  RE: Switch Dell N2024 CoA

    Posted Jul 06, 2023 07:11 AM

    CoA is only available as an option for an (the most recent) active session. So if an automatic CoA has been sent, which triggered a new authentication, only the active session (with accounting data coming in) will have the option to do CoA. Sometimes when you are testing and have many entries in Access Tracker, it may be hard to see which is the last/active session. In general if an automatic CoA works (via Profiling tab), it should also work from Access Tracker (Change Status).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 15.  RE: Switch Dell N2024 CoA

    Posted Jul 20, 2023 08:16 AM

    I found out what was going on,
    1- The CPPM that receives authentication from the Dell switch had log interim acct disabled, after enabling the automatic COA that is inside the profiling in service tab it started to work.

    The manual termination session via access tracker-->change status did not work because this CPPM is in another zone (ZoneB) and I was trying to send the manual COA through the publisher which is in the default zone. when I log in to zoneB's CPPM I can manually send coa through the access tracker-->change status.

    Things I didn't know, are learning.

    Many thanks to everyone who took the time to help me with the case.