Security

Reply
Highlighted
Frequent Contributor I

HealthCheck CoA and Mac OS X

Hi guys,

 

does someone of you got any expirience with CoA and Mac OS X. 

Today I was at a customer and we configured Onguard. We implemented it wireless and wired so healthchecks can be performed on any client. The customer is using HPE Switches and an Extreme wireless controller.

As dicribed, everythink works fine for WIndows (10) clients. We did the same testing with Mac CLients (wired / wireless) but ended up with same fault.

Client stauts changed and is reported to Clearpass. Clearpass is triggering an CoA and the client is authenticating again (differnt VLAN for healthy / unhelathy clients)

On the wireless controller / switch we can see that the client is in the right VLAN but he starved because of holding a wrong IP address. 

 

What I discovered was that every MAC Client (Mac OS X 10.12.5) we tested act the same. THe clients performs the authentication and after that no DHCP is done. 

 

Again: Does anyone have MAC with ongaurd and CoA up and running? Is there any special setting in MAC OS to change this behaviour?

 

Thanks in advance

 

Network Engineer
ACCX #931 | ACMP
Guru Elite

Re: HealthCheck CoA and Mac OS X

The wireless controller needs to do a L2 full disconnect. Which CoA/DM profile are you using?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: HealthCheck CoA and Mac OS X

Till now I use the Motorola pre installed CoA.
As I wrote, it works fine for every Windows machine.
Wired I use the predefined HPE coa
Network Engineer
ACCX #931 | ACMP
MVP Guru

Re: HealthCheck CoA and Mac OS X

Are you using the persistent agent ?
If you are then try using the Agent Bounce option that way you don't need to rely on the CoA
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I

Re: HealthCheck CoA and Mac OS X

Thanks for the hint. I was playing with this option but i didn't have that in my mind Right now.
I will try this tomorrow at the customer and will come back to you.

Thanks alot
Network Engineer
ACCX #931 | ACMP
Frequent Contributor I

Re: HealthCheck CoA and Mac OS X

Hi Victor,

 

we tested your solution and it works fine. 

 

Thanks alot again!

Network Engineer
ACCX #931 | ACMP
Occasional Contributor I

Re: HealthCheck CoA and Mac OS X

Hi,

 

And if we have client that use the disoluble agent? we can't do any bounce?

MVP Guru

Re: HealthCheck CoA and Mac OS X

You won’t be able to use the agent bounce feature with abut you could use RFC-3576 ( Change of Authorization) but of course the Network Access Device needs to support it



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I

Re: HealthCheck CoA and Mac OS X

we have the same problem as Freddy

We have MACOSx with 802.1x and if it failed do MAC authentication.

 

We have onGuard, with vlan change between healthy and quarantine.

We have a Cisco phone between switch and MACOSx.

 

If we do a bounce port Cisco, doesn't do anything.

If we do a bounce client with Agent not soluble, it's works, change vlan.

But if the client don't like to install the Agent, and choose the soluble agent, the bounce doesn't works and not change vlan.

 

If we remove the Cisco Phone,

we do the bounce port, works ok and change vlan

if the agent do the bounce, works ok and change vlan.

 

As I explain, if we have a phone between Switch and MACOSx, the only solution that we have is to If unplugged the cord on this case???

 

On windows, works all OK.

Occasional Contributor I

Re: HealthCheck CoA and Mac OS X

any help?

 

Regards

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: