Security

Reply
Highlighted
Frequent Contributor I

Re: Dynamic ACL with ClearPass and comware switches

Hi Dik and Tim 

 

Thanks for responses 

 

I have watched videos and read document. Both are interesting. 

In regards with my problem to Session termination (CoA) I have defaulted port and then reconfigured from scratch and it seems works as for now. But a little bit strange...

It seems I cannot use port bounce instead session termination because I have IP phone connected to the same port in tagged vlan and it disconnets (Avaya) with session termination.

I have dot1x handshake disabled 

My port configuration is as follows

 

interface GigabitEthernet1/0/48
 port link-type hybrid
 port hybrid vlan 1 untagged
 undo voice-vlan mode auto
 voice-vlan 103 enable
 stp edged-port
 poe enable
 dot1x
 undo dot1x handshake
 mac-authentication
 dhcp snooping binding record
:

 

And I have authentication every 30 sec. as you can see in attachment 

But I have dot1x/mac-auth instead port-security 

By the way, what is advanted of port-security over dot1x/mac-ath?

 

Regards

 

Karol

Highlighted
Frequent Contributor I

Re: Dynamic ACL with ClearPass and comware switches

Hi

 

Ok, I have turned to port-security and turned off multicast-trigger and turned on unicast-trigger

I had a wrong device-type (Hewlett-Packard instead H3C) 

It seems to work now fine

My port configuration is now a little long but hope fine, as follows:

 

interface gigabit 1/0/48

 port link-type hybrid
 port hybrid vlan 1 untagged
 undo voice-vlan mode auto
 voice-vlan 103 enable
 mac-vlan enable
 stp edged-port
 poe enable
 undo dot1x handshake
 undo dot1x multicast-trigger
 dot1x unicast-trigger
 dot1x re-authenticate server-unreachable keep-online
 mac-authentication max-user 2
 mac-authentication re-authenticate server-unreachable keep-online
 port-security port-mode userlogin-secure-or-mac-ext
 dhcp snooping binding record

 

And I havn't got every 30 sec authentication in CPPM :)

 

Reagds

 

Karol

Highlighted
Aruba Employee

Re: Dynamic ACL with ClearPass and comware switches

Looking good. :-)

 

Thanks for your response.

 

Dik

Highlighted
Frequent Contributor I

Re: Dynamic ACL with ClearPass and comware switches

Hi

 

Unfortunately stiil one problem:

 

After sending to switch CoA H3C termination Session my Ip phone looses connection, 

My phone is on tagged vlan and laptop on untagged

Phone is authenticated with MAC-based, 

laptop with 802.1x

 

is this a bug which I should contact to TAC or is it normal ? 

Should I use CoA in different way ?

I temporary use Agent bounce port instaed CoA, but I would prefer CoA

My phone is Avaya 1616

 

Please advice

 

Karol

Highlighted
Moderator

Re: Dynamic ACL with ClearPass and comware switches

Terminate Session is a Disconnect, not a CoA.



The Disconnect should only apply to the MAC address for the session, so the
phone should not disconnect if you're attempting to disconnect a downstream
device. Please open a TAC case.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Frequent Contributor I

Re: Dynamic ACL with ClearPass and comware switches

Hi

 

Thanks for fast answer and explanation 

 

I will contact TAC

 

Do You see any alternative to my config, maybe only send different VLAN with CoA ?

 

regards

 

Karol

Highlighted
Moderator

Re: Dynamic ACL with ClearPass and comware switches

I don't know if Comware supports a VLAN via CoA.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Frequent Contributor I

Re: Dynamic ACL with ClearPass and comware switches

Hi Tim 

 

Thanks for response

I'm a litlle bit confused about my configuration, probably I must contact Avaya or HPE TAC. 

Now I'm not using terminate Session for PC (I'm using Agent based port bounce), PC and phone connects and authorize but Avaya phone dosconnects after some time (some minutes, some 10 min) 

 

I see that option multicast trigger changes behaviur on port for telephone.

 

regards

 

Karol

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: