Security

Reply
Contributor II

Dynamic ACL with ClearPass and comware switches

Hi

 

I try to configure dynamic ACL with ClearPass and Comware switche HPE 5130 HI, but it is not working as expected.

It seems that switch get ACL ID succesfuly but ACL is without effect - no traffic is filtered.

According with document Wired Policy Enforcement I send ACL-id from ClearPass with IETF:Filter-id attribute (in my case 3900) and switch shows that ACL as authorization ACL 

 

[B-GPD2-IT]disp dot1x connection
Total connections: 1
Slot ID: 1
User MAC address: 34e6-d710-edf2
Access interface: GigabitEthernet1/0/48
Username: ZIAJA\kn_serwis
User access state: Successful
Authentication domain: ziaja
IPv4 address: 192.168.18.12
Authentication method: EAP
Initial VLAN: 1
Authorization untagged VLAN: 18
Authorization tagged VLAN list: N/A
Authorization VSI: N/A
Authorization ACL ID: 3900
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Termination action: Radius-request
Session timeout period: 10800 s
Online from: 2019/02/06 15:00:32
Online duration: 0h 1m 6s

 

But there is no effect of this ACL 

ACL is as follows:

Advanced IPv4 ACL 3900, 5 rules,
ACL's step is 5, start ID is 0
 rule 20 deny ip source 8.8.8.8 0
 rule 30 deny icmp destination 8.8.8.8 0
 rule 40 deny icmp source 8.8.8.8 0
 rule 50 deny icmp
 rule 60 deny ip

I entered more rules to be sure I filter all ICMP and IP

 

My port config is as follows:

 port link-type hybrid
 port hybrid vlan 1 untagged
 undo voice-vlan mode auto
 voice-vlan 103 enable
 stp edged-port
 poe enable
 dot1x
 undo dot1x handshake
 dot1x re-authenticate server-unreachable keep-online
 dot1x timer reauth-period 7200
 mac-authentication
 mac-authentication re-authenticate server-unreachable keep-online
 dhcp snooping binding record

 

802.1x and mac-auth is working fine 

Port works in 802.1x macbased mode 

It seems that in port-based ACL works ok

 

I would appriciate any help

 

Best regards 

 

Karol

 

 

Aruba Employee

Re: Dynamic ACL with ClearPass and comware switches

Hi Karol,

 

The nas-filter-rule VSA is not supported on Comware. You have to configure the ACL's locally on the switches and use the IETF filter-id VSA.

 

For example, if you have configured ACL 3000 on the switch, in the profile on ClearPass you set the IETF filter-id value to 3000. That should do the trick.

 

Hope this helps.

Aruba Employee

Re: Dynamic ACL with ClearPass and comware switches

In addition to the response (I see that you are already using the filter-id VSA), I have also added the presentation that I gave during Atmosphere 2017.

Contributor II

Re: Dynamic ACL with ClearPass and comware switches

Hi 

Thanks a lot for advices 

 

I have look at the presentation and I see that my port configuration is somehow different, I tried to use also port-securoty instaed of dot1x/mac-auth but with the same effect but there are also other port configs that are different and enforcement profiles 

However I used that sane profiles for 8021x and mac-auth 

 

I will make some tests and let You know about results 

 

Karol

Aruba Employee

Re: Dynamic ACL with ClearPass and comware switches

Hi Karol,

 

Sounds good. The information in the presentation has been demonstrated during Atmosphere in 2017 so the configs in there should work fine.

 

Kind regards,

 

Dik

Contributor II

Re: Dynamic ACL with ClearPass and comware switches

Hi Dik

 

Finally It came out that there was a bug in firmware on HPE 5130 HI switch. I found in Relese Notes for r1309p07 resolution of similar problem and finally after installation of new firmare it has started to work as expected.

 

Now I have a little bit different problem with H3C Sesstion termination.

Because after sending this enforcement profile to HPE 5130 HI switch, client sometimes doesn't reauthenticate again 

I use dot1x with mac-auth but sometimes with alone dot1x there is problem

I have updated windows drivers and tested it on second laptop but it seems the same.

I have switched now to Agent based Bounce ports 

I cannot do H3c Bounce port bacuse I have also telephone connected to port and it dosconnect

 

Please advice, maybe I should contact Support ?

 

regards 

 

Karol

Contributor II

Re: Dynamic ACL with ClearPass and comware switches

Hi

 

One more thing

I can't fight with thing that client authenticate every 30 sec although re-authentication is turned off

I see in Clear Pass evert 30 sec entry with authentication for client connected to comware switch

Do You know how to turn it off or change ?

 

regards

 

Karol

Aruba Employee

Re: Dynamic ACL with ClearPass and comware switches

Hi Karol,

 

I don't have your configuration, but if you have Windows clients, you have to undo the dot1x handshake. Windows clients do not support handshake. If this is enabled on the switch, the switch checks every 30 seconds whether the client is still online. The client that does not support handshake, will not respond, and therefore this will trigger a re-authentication.

 

Hope this helps.

 

Dik

Aruba Employee

Re: Dynamic ACL with ClearPass and comware switches

Hi Karol,

 

Checkout the videos that I have created on the ABC networking channel.

 

ClearPass Captive portal with Comware 7:

https://www.youtube.com/watch?v=yAd7ERfTbAY&t=23s

This video contains the port-bounce functionality. In the video I am using the port-bounce, but if you don't want to shut/unshut the port you can also re-authenticate the session. You need to do this with the "[Cisco - Reauthenticate-Session]" action in the bounce policy.

 

There's another video that shows you all the good stuff with MAC Auth/Dot1x for Comware 7 and ClearPass.

https://www.youtube.com/watch?v=HeRIpF-x3nA&t=753s

 

Hope this helps.

 

Dik

 

Guru Elite

Re: Dynamic ACL with ClearPass and comware switches

Please follow the ClearPass Solution Guide for Wired Policy Enforcement for a validated configuration on both sides.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: