Security

Hi

 

I try to configure dynamic ACL with ClearPass and Comware switche HPE 5130 HI, but it is not working as expected.

It seems that switch get ACL ID succesfuly but ACL is without effect - no traffic is filtered.

According with document Wired Policy Enforcement I send ACL-id from ClearPass with IETF:Filter-id attribute (in my case 3900) and switch shows that ACL as authorization ACL 

 

[B-GPD2-IT]disp dot1x connection
Total connections: 1
Slot ID: 1
User MAC address: 34e6-d710-edf2
Access interface: GigabitEthernet1/0/48
Username: ZIAJA\kn_serwis
User access state: Successful
Authentication domain: ziaja
IPv4 address: 192.168.18.12
Authentication method: EAP
Initial VLAN: 1
Authorization untagged VLAN: 18
Authorization tagged VLAN list: N/A
Authorization VSI: N/A
Authorization ACL ID: 3900
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Termination action: Radius-request
Session timeout period: 10800 s
Online from: 2019/02/06 15:00:32
Online duration: 0h 1m 6s

 

But there is no effect of this ACL 

ACL is as follows:

Advanced IPv4 ACL 3900, 5 rules,
ACL's step is 5, start ID is 0
 rule 20 deny ip source 8.8.8.8 0
 rule 30 deny icmp destination 8.8.8.8 0
 rule 40 deny icmp source 8.8.8.8 0
 rule 50 deny icmp
 rule 60 deny ip

I entered more rules to be sure I filter all ICMP and IP

 

My port config is as follows:

 port link-type hybrid
 port hybrid vlan 1 untagged
 undo voice-vlan mode auto
 voice-vlan 103 enable
 stp edged-port
 poe enable
 dot1x
 undo dot1x handshake
 dot1x re-authenticate server-unreachable keep-online
 dot1x timer reauth-period 7200
 mac-authentication
 mac-authentication re-authenticate server-unreachable keep-online
 dhcp snooping binding record

 

802.1x and mac-auth is working fine 

Port works in 802.1x macbased mode 

It seems that in port-based ACL works ok

 

I would appriciate any help

 

Best regards 

 

Karol

 

 

Hi Karol,

 

The nas-filter-rule VSA is not supported on Comware. You have to configure the ACL's locally on the switches and use the IETF filter-id VSA.

 

For example, if you have configured ACL 3000 on the switch, in the profile on ClearPass you set the IETF filter-id value to 3000. That should do the trick.

 

Hope this helps.

In addition to the response (I see that you are already using the filter-id VSA), I have also added the presentation that I gave during Atmosphere 2017.

Hi 

Thanks a lot for advices 

 

I have look at the presentation and I see that my port configuration is somehow different, I tried to use also port-securoty instaed of dot1x/mac-auth but with the same effect but there are also other port configs that are different and enforcement profiles 

However I used that sane profiles for 8021x and mac-auth 

 

I will make some tests and let You know about results 

 

Karol

Hi Karol,

 

Sounds good. The information in the presentation has been demonstrated during Atmosphere in 2017 so the configs in there should work fine.

 

Kind regards,

 

Dik

Hi Dik

 

Finally It came out that there was a bug in firmware on HPE 5130 HI switch. I found in Relese Notes for r1309p07 resolution of similar problem and finally after installation of new firmare it has started to work as expected.

 

Now I have a little bit different problem with H3C Sesstion termination.

Because after sending this enforcement profile to HPE 5130 HI switch, client sometimes doesn't reauthenticate again 

I use dot1x with mac-auth but sometimes with alone dot1x there is problem

I have updated windows drivers and tested it on second laptop but it seems the same.

I have switched now to Agent based Bounce ports 

I cannot do H3c Bounce port bacuse I have also telephone connected to port and it dosconnect

 

Please advice, maybe I should contact Support ?

 

regards 

 

Karol

Hi

 

One more thing

I can't fight with thing that client authenticate every 30 sec although re-authentication is turned off

I see in Clear Pass evert 30 sec entry with authentication for client connected to comware switch

Do You know how to turn it off or change ?

 

regards

 

Karol

Hi Karol,

 

I don't have your configuration, but if you have Windows clients, you have to undo the dot1x handshake. Windows clients do not support handshake. If this is enabled on the switch, the switch checks every 30 seconds whether the client is still online. The client that does not support handshake, will not respond, and therefore this will trigger a re-authentication.

 

Hope this helps.

 

Dik

Hi Karol,

 

Checkout the videos that I have created on the ABC networking channel.

 

ClearPass Captive portal with Comware 7:

https://www.youtube.com/watch?v=yAd7ERfTbAY&t=23s

This video contains the port-bounce functionality. In the video I am using the port-bounce, but if you don't want to shut/unshut the port you can also re-authenticate the session. You need to do this with the "[Cisco - Reauthenticate-Session]" action in the bounce policy.

 

There's another video that shows you all the good stuff with MAC Auth/Dot1x for Comware 7 and ClearPass.

https://www.youtube.com/watch?v=HeRIpF-x3nA&t=753s

 

Hope this helps.

 

Dik

 

Please follow the ClearPass Solution Guide for Wired Policy Enforcement for a validated configuration on both sides.

Hi Dik and Tim 

 

Thanks for responses 

 

I have watched videos and read document. Both are interesting. 

In regards with my problem to Session termination (CoA) I have defaulted port and then reconfigured from scratch and it seems works as for now. But a little bit strange...

It seems I cannot use port bounce instead session termination because I have IP phone connected to the same port in tagged vlan and it disconnets (Avaya) with session termination.

I have dot1x handshake disabled 

My port configuration is as follows

 

interface GigabitEthernet1/0/48
 port link-type hybrid
 port hybrid vlan 1 untagged
 undo voice-vlan mode auto
 voice-vlan 103 enable
 stp edged-port
 poe enable
 dot1x
 undo dot1x handshake
 mac-authentication
 dhcp snooping binding record:

 

And I have authentication every 30 sec. as you can see in attachment 

But I have dot1x/mac-auth instead port-security 

By the way, what is advanted of port-security over dot1x/mac-ath?

 

Regards

 

Karol

Hi

 

Ok, I have turned to port-security and turned off multicast-trigger and turned on unicast-trigger

I had a wrong device-type (Hewlett-Packard instead H3C) 

It seems to work now fine

My port configuration is now a little long but hope fine, as follows:

 

interface gigabit 1/0/48

 port link-type hybrid
 port hybrid vlan 1 untagged
 undo voice-vlan mode auto
 voice-vlan 103 enable
 mac-vlan enable
 stp edged-port
 poe enable
 undo dot1x handshake
 undo dot1x multicast-trigger
 dot1x unicast-trigger
 dot1x re-authenticate server-unreachable keep-online
 mac-authentication max-user 2
 mac-authentication re-authenticate server-unreachable keep-online
 port-security port-mode userlogin-secure-or-mac-ext
 dhcp snooping binding record

 

And I havn't got every 30 sec authentication in CPPM :)

 

Reagds

 

Karol

Looking good. :-)

 

Thanks for your response.

 

Dik

Hi

 

Unfortunately stiil one problem:

 

After sending to switch CoA H3C termination Session my Ip phone looses connection, 

My phone is on tagged vlan and laptop on untagged

Phone is authenticated with MAC-based, 

laptop with 802.1x

 

is this a bug which I should contact to TAC or is it normal ? 

Should I use CoA in different way ?

I temporary use Agent bounce port instaed CoA, but I would prefer CoA

My phone is Avaya 1616

 

Please advice

 

Karol

Terminate Session is a Disconnect, not a CoA.



The Disconnect should only apply to the MAC address for the session, so the
phone should not disconnect if you're attempting to disconnect a downstream
device. Please open a TAC case.

Hi

 

Thanks for fast answer and explanation 

 

I will contact TAC

 

Do You see any alternative to my config, maybe only send different VLAN with CoA ?

 

regards

 

Karol

I don't know if Comware supports a VLAN via CoA.

Hi Tim 

 

Thanks for response

I'm a litlle bit confused about my configuration, probably I must contact Avaya or HPE TAC. 

Now I'm not using terminate Session for PC (I'm using Agent based port bounce), PC and phone connects and authorize but Avaya phone dosconnects after some time (some minutes, some 10 min) 

 

I see that option multicast trigger changes behaviur on port for telephone.

 

regards

 

Karol