Security

Reply
Aruba Employee

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

You nailed it..  Just make sure you have a webauth service for guest setup too.. This is what you actually authenticate against service wise with the portal page. 

 

Also I forgot to mention that the 5130EI needs to be on later code.. I forget which specific code we added all of the features in, I think it was 3109P09, but 3113P05 is the latest available on the public website. 

 

The cache is valid for 5 minutes by default in CPPM.

Occasional Contributor I

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

thank you for the reply. I need to arrange a site revisit before i can test it. I will let you know how i get on. thanks again!

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

Amazing, thanks ! 

Would you mind sharing your HPE-AOS-WIRED-GUEST service config please. I'll be deploying this this week and I dont have any lab comware switch so I just want to be sure :)

ACCX #1137, ACMP, BCNE
Satori Internetworking
http://www.net-satori.ca/
Aruba Employee

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

The easiest way to do this is via the service wizard.. Go to the 'start here' and then up at the top click the full wizard link.

 

Then go to the web-based authentication wizard and fill it out how you need it to be (authentication, etc).  Below is a screenshot of my enforcement policy which is very basic. 

Web-Auth-Policy.PNG
 

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

Hi Chris,

 

I deployed the solution today, everything is working fine but still the session terminate isn't.

 

I can manually unplug/plug the ethernet cable or do a manual shut/undo shut on the port which will get my device to the MAC auth service with it's cached attribute and success.

 

When the Web-Auth service applies the [HPE - Terminate Session] enforcement profile, the PC never re-auth and stays on the captive portal enf profile. 

Have you ever run into something similar ?

 

Swith OS + Model :

HP 5130EI - 7.10.R3113P05

 

Thanks :)

ACCX #1137, ACMP, BCNE
Satori Internetworking
http://www.net-satori.ca/
Aruba Employee

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

Sounds like CoA isn't working/responding..

 

Do you have dynamic radius setup in the switch?

 

radius dynamic-author server

client ip <your IP> key simple <key>

 

Also do you have CoA checked on the network device profile?  

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

Indeed, yes the radius dynamic-author server is configured with clearpass ip and secret and also the coa box is checked and using it's default port on the device.

Thanks !
ACCX #1137, ACMP, BCNE
Satori Internetworking
http://www.net-satori.ca/

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

Here's the configuration currently running on the switch :

 

10.2.2.135 = Clearpass server IP

10.2.3.123 = Switch NAS IP

* Testing done on interface 1/0/15

 

#
dot1x
dot1x authentication-method eap
#
mac-authentication
mac-authentication domain test.net
mac-authentication user-name-format mac-address with-hyphen
#
interface GigabitEthernet1/0/15
description ** Test NAC **
port access vlan 301
stp edged-port
poe enable
undo dot1x handshake
dot1x mandatory-domain test.net
undo dot1x multicast-trigger
mac-authentication
mac-authentication domain test.net
#
acl number 3502 name PORTAL-REDIRECT
rule 0 permit ip destination Clearpass-IP 0
rule 10 permit ip destination GATEWAY-IP 0
rule 20 permit ip destination DNS-SERVER-IP 0
rule 30 permit udp destination-port eq bootps
rule 40 permit udp destination-port eq bootpc
#
radius scheme dev-dot1x
primary authentication 10.2.2.135 key cipher -Hidden-
primary accounting 10.2.2.135 key cipher -Hidden-
accounting-on enable
user-name-format without-domain
nas-ip 10.2.3.123
radius scheme system
user-name-format without-domain
#
radius dynamic-author server
client ip 10.2.2.135 key cipher -Hidden-
#
domain test.net
authentication lan-access radius-scheme dev-dot1x
authorization lan-access radius-scheme dev-dot1x
accounting lan-access radius-scheme dev-dot1x
authentication portal radius-scheme dev-dot1x
authorization portal radius-scheme dev-dot1x
accounting portal radius-scheme dev-dot1x

ACCX #1137, ACMP, BCNE
Satori Internetworking
http://www.net-satori.ca/
Aruba Employee

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

So there's a few ways we can tackle this..

 

We can do a packet capture to see if the CoA messages are going out, or we can do it via debug.

 

For the debug method go into the switch and do 'debug radius all' then do 'term debug and term mon'

 

Then connect a PC up and let it get authenticated, and go into the access track in Clearpass. Then at the bottom of that box there is a 'change status' button that you can click on and go terminate the session. Select that HPE terminate session profile and then submit it.. If successful you should then see a bunch of debug spit out on the switch console.. If that fails then we need to look at other areas, something isn't configured right.

 

 

Here's an example of what you will see..

 

<HPE>*Oct 17 15:59:02:317 2016 HPE RADIUS/7/EVENT:
Received DAE request packet successfully.
*Oct 17 15:59:02:320 2016 HPE RADIUS/7/PACKET:
User-Name="643150a18e3d"
Calling-Station-Id="64-31-50-A1-8E-3D"
NAS-IP-Address=192.168.1.25
NAS-Port=16781314
Event-Timestamp="Oct 17 2016 15:59:00 UTC"
*Oct 17 15:59:02:321 2016 HPE RADIUS/7/PACKET:
28 c4 00 47 ad 4c dd 9b b8 9d 1c b7 43 f1 a9 f7
f6 7a 20 61 01 0e 36 34 33 31 35 30 61 31 38 65
33 64 1f 13 36 34 2d 33 31 2d 35 30 2d 41 31 2d
38 45 2d 33 44 04 06 c0 a8 01 19 05 06 01 00 10
02 37 06 58 04 f5 44

%Oct 17 15:59:02:330 2016 HPE MACA/6/MACA_LOGOFF: -IfName=GigabitEthernet1/0/1-MACAddr=6431-50a1-8e3d-VLANID=2-Username=643150a18e3d-UsernameFormat=MAC address; MAC authentication user was logged off.

Highlighted

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

Thank you for the answer !

I think I found what I did wrong but can't try it today, maybe you can confirm. When I created the Device I selected H3C for vendor name. The Enforcement profiles are for HPE, maybe they don't apply because of this ? 

I remember from the "Change Status" menu, I had no COA available, probly because of this except the generic one I created.

ACCX #1137, ACMP, BCNE
Satori Internetworking
http://www.net-satori.ca/
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: