Security

Reply
Occasional Contributor II

Cleapass CoA to Extreme Switches

Hi, experts

Does anyone know how to configure and innitiate a CoA to one of Extreme Summit x440 and Summit x450 switches? 

I need to configure OnGuard in ClearPass for verification of the health status of the devices, and CoA is indispensable for this.

 

Thank you

Guru Elite

Re: Cleapass CoA to Extreme Switches

I assume you mean a Disconnect, not a CoA?

 

Try using just the standrad IETF Disconnect Message that is built in.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Cleapass CoA to Extreme Switches

Hi, Tim

 

Sí, me refería a un "port bounce".
The standard IETF Disconnect Message that is built in ClearPass?

 

Thanks for your reply

Guru Elite

Re: Cleapass CoA to Extreme Switches

I don’t believe Extreme has a Port Bounce CoA.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Cleapass CoA to Extreme Switches

So how I could do works the OnGuard for the change of Vlans?

 

Regards

Guru Elite

Re: Cleapass CoA to Extreme Switches

You’d have to use the Agent Bounce.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Cleapass CoA to Extreme Switches

Thanks for your reply, Tim

 

What do I need to configure on the ClearPass side for this to work only with Extreme switches?

 

 

Contributor II

Re: Cleapass CoA to Extreme Switches

In the agent enforcement set bounce client to true for each health status. this will force the onguard agent to perform a bounce from the client side (after a posture status change), not from the switch.

 

Then the client will reauthenticate with the new health status to your dot1x service, there you can assign a new vlan enforcement, for example user vlan when posture status == healthy, and quarantaine vlan when posture status is unhealthy. 

----------------------------------------------------------------------------------------
Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE
Occasional Contributor II

Re: Cleapass CoA to Extreme Switches

Thank for your reply, Fabian.

I'm going to test your solution and post the results.

 

Regards

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: