Hi
I try to configure dynamic ACL with ClearPass and Comware switche HPE 5130 HI, but it is not working as expected.
It seems that switch get ACL ID succesfuly but ACL is without effect - no traffic is filtered.
According with document Wired Policy Enforcement I send ACL-id from ClearPass with IETF:Filter-id attribute (in my case 3900) and switch shows that ACL as authorization ACL
[B-GPD2-IT]disp dot1x connection
Total connections: 1
Slot ID: 1
User MAC address: 34e6-d710-edf2
Access interface: GigabitEthernet1/0/48
Username: ZIAJA\kn_serwis
User access state: Successful
Authentication domain: ziaja
IPv4 address: 192.168.18.12
Authentication method: EAP
Initial VLAN: 1
Authorization untagged VLAN: 18
Authorization tagged VLAN list: N/A
Authorization VSI: N/A
Authorization ACL ID: 3900
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Termination action: Radius-request
Session timeout period: 10800 s
Online from: 2019/02/06 15:00:32
Online duration: 0h 1m 6s
But there is no effect of this ACL
ACL is as follows:
Advanced IPv4 ACL 3900, 5 rules,
ACL's step is 5, start ID is 0
rule 20 deny ip source 8.8.8.8 0
rule 30 deny icmp destination 8.8.8.8 0
rule 40 deny icmp source 8.8.8.8 0
rule 50 deny icmp
rule 60 deny ip
I entered more rules to be sure I filter all ICMP and IP
My port config is as follows:
port link-type hybrid
port hybrid vlan 1 untagged
undo voice-vlan mode auto
voice-vlan 103 enable
stp edged-port
poe enable
dot1x
undo dot1x handshake
dot1x re-authenticate server-unreachable keep-online
dot1x timer reauth-period 7200
mac-authentication
mac-authentication re-authenticate server-unreachable keep-online
dhcp snooping binding record
802.1x and mac-auth is working fine
Port works in 802.1x macbased mode
It seems that in port-based ACL works ok
I would appriciate any help
Best regards
Karol