Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Cleapass CoA to Extreme Switches

This thread has been viewed 14 times

  • 1.  Cleapass CoA to Extreme Switches

    Posted Jan 10, 2019 02:46 PM

    Hi, experts

    Does anyone know how to configure and innitiate a CoA to one of Extreme Summit x440 and Summit x450 switches? 

    I need to configure OnGuard in ClearPass for verification of the health status of the devices, and CoA is indispensable for this.

     

    Thank you



  • 2.  RE: Cleapass CoA to Extreme Switches

    EMPLOYEE
    Posted Jan 10, 2019 03:10 PM

    I assume you mean a Disconnect, not a CoA?

     

    Try using just the standrad IETF Disconnect Message that is built in.



  • 3.  RE: Cleapass CoA to Extreme Switches

    Posted Jan 10, 2019 03:17 PM

    Hi, Tim

     

    Sí, me refería a un "port bounce".
    The standard IETF Disconnect Message that is built in ClearPass?

     

    Thanks for your reply



  • 4.  RE: Cleapass CoA to Extreme Switches

    EMPLOYEE
    Posted Jan 10, 2019 03:21 PM
    I don’t believe Extreme has a Port Bounce CoA.


  • 5.  RE: Cleapass CoA to Extreme Switches

    Posted Jan 10, 2019 03:27 PM

    So how I could do works the OnGuard for the change of Vlans?

     

    Regards



  • 6.  RE: Cleapass CoA to Extreme Switches

    EMPLOYEE
    Posted Jan 10, 2019 03:28 PM
    You’d have to use the Agent Bounce.


  • 7.  RE: Cleapass CoA to Extreme Switches

    Posted Jan 10, 2019 03:39 PM

    Thanks for your reply, Tim

     

    What do I need to configure on the ClearPass side for this to work only with Extreme switches?

     

     



  • 8.  RE: Cleapass CoA to Extreme Switches

    Posted Jan 11, 2019 04:19 AM

    In the agent enforcement set bounce client to true for each health status. this will force the onguard agent to perform a bounce from the client side (after a posture status change), not from the switch.

     

    Then the client will reauthenticate with the new health status to your dot1x service, there you can assign a new vlan enforcement, for example user vlan when posture status == healthy, and quarantaine vlan when posture status is unhealthy. 



  • 9.  RE: Cleapass CoA to Extreme Switches

    Posted Jan 11, 2019 09:51 AM

    Thank for your reply, Fabian.

    I'm going to test your solution and post the results.

     

    Regards