Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass HP Procureve CoA issue ?

This thread has been viewed 0 times

  • 1.  Clearpass HP Procureve CoA issue ?

    Posted Oct 14, 2015 07:31 AM

    I have integrated HP procurve Switch with Aruba Clearpass ,Authentication works very well,but the thing is I have configure if the suer is Employee and have a healthy token he shall be in VLAN X and if not he Shall be in VLAN Y ,but the thing is the user have to log out from windows and log in again ,CoA doesn't take action directly after changes:

     

    Example:

     

    User connected and he is not healthy beacuse of antivirus,no after installing Antivirus he should be healthy and should be enforced to the Healthy VLAN but what happened is that he keep being in the Unhealthy VLAN and Should log out from widnwos and log in again (is taht a normal behavior) as I bealive action should be taken once things are done.



  • 2.  RE: Clearpass HP Procureve CoA issue ?

    Posted Oct 14, 2015 11:57 AM

    Is the VLAN not being changed, or is it just the case that Windows is not getting a new IP address on the new VLAN? These are very different problems.

     

    The currently released HP Provision switch code supports CoA and will successfully change the VLAN. However, clients have no way of detecting this VLAN change, and without changing IP addresses won't be able to communicate.

     

    A future release of HP Provision code will support "port bounce". This provides the capabilty to drop link on a port at the same time the VLAN is changed, forcing the client to obtain a new IP address. Sorry, but I don't have an exact date for this code release.



  • 3.  RE: Clearpass HP Procureve CoA issue ?

    Posted Oct 15, 2015 10:43 AM

    Thank you so much for you replay ,

     

    The VLAN enforcment is working when user doing authentication but if user was in state and state changedd no VLAN change happen he should log out and log in again doing full authentication.



  • 4.  RE: Clearpass HP Procureve CoA issue ?

    Posted Oct 24, 2015 07:49 AM

    not sure if you are asking a question or stating a fact now?

     

    in any case you can't in general change a VLAN on an active Windows system, i won't request a new IP and that means you don't have the IP from the new VLAN you are in.

     

    this is a general issue on all types of switches, it is nice to see HP is doing something about it.

     

    if you are using the onguard agent you can also next to the CoA do an interface bounce, that should trigger the DHCP request. but this remains a tricky configuration.