Security

Hi everyone,

I have a problem with ip refresh after changing vlan.
Before a user logs on to the domain he authenticates the station and gets vlan x with the address IP 192.168.1.10
After logging in to the domain and authentication, he gets vlan y with the address 192.168.10.10
Unfortunately, after logging in to the domain, he receives the old address 192.168.1.10. After restarting the network card the user gets the correct address 192.168.10.10.

Any suggestions?

Firstly most modern PCs expect the interface to go down for almost 10s before releasing it's IP address. If this is wired:The easier and most reliable system is to use CoA Port-Bounce - ClearPass by default takes the interface down for 12s, when it comes backup the new authentication will put it into the correct VLAN...

If this is wireless it is impractical to take the SSID - invariable the PC will attempt to connect on to another available SSID. It is easier not to use VLAN switching but to change ACL that dictate what the device can access.

Also, keep in mind once a PC has got an IP address when it attempts to refresh that IP it will initially make a directed request DHCP requests from this PC's IP to the DHCP server's IP. It may be desirable to block DHCP Requests in VLAN Y that have the source IP in VLAN X.

There is a wired connection.
Unfortunately, from the level of acces tracker I can not use the CoA action - it is not available. Therefore I cannot use the Vlan change action in enforcement policy as CoA. The vlan change policy using CoA will not work.

I will add that I have insight enabled, the option radius CoA is enabled on the switch, the port is set to 3799.

I have a Clearpass cluster.

Do Switch and ClearPass have the same time?

 

Did you configured it this way on the Switch:

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s04.html#s_Configuring_the_switch_to_access_a_RADIUS_server

 

dyn-authorization

 

Is CoA enabled in the ClearPass for the Network Device?

Clearpass and Switch have the same time.

The following options are set on the switch:

 

CoA is enabled on the switch in CPPM

 

The Framed IP address in the accounting section is empty. (I hid NAS IP address).

 

ip client-tracker trusted

 

DHCP snooping enabled?

DHCP snooping and ip client-tracker trusted are not configured.

So it looks like you have a problem with CoA.

When the authentication request comes in are you seeing the Radius:IETF:NAS-IP-Address?

This wil be used for the IP address to send the CoA to.

Is it correct?

You need the times on the switch and ClearPass to be within 5 minutes

Can you initiate a manual CoA from AccessTracker?

Is the CoA request packet being received by the switch?

After enabling the ip client-tracker trusted option, from the switch I see the IP addresses (show port-access clients).
Unfortunately, when logging in to the domain, the ip address doesn't refresh and the ip address field displays n/a on the list of authenticated clients.

 

During the authentication request, I see the correct IP address in the Radius: IETF: NAS-IP-Address field.

 

From the access tracker, I can't manually initiate a CoA action because the field is inactive.

The question is why I can't use this option?

what type of Switch with which Firmware are you using?

Is the correct Radius Vendor name configured?

JL254A Configuration Editor; Created on release #WC.16.09.0004

 

Vendor Name: Hewlett-Packard-Enterprise

The fact your don't have the CoA option available in AT, confirms there is likely a config issue around Dynamic-Auth on your switch/NAD.

Below screen with switch settings

I again set the dyn-auth, time-window and Radius CoA options in the device settings on CPPM.

I still can't use the CoA option.
The device cluster is out of sync can this cause a problem?
While trying to drop a subscriber, I got the message: Cannot drop this node if publisher is not reachable.
Publisher is reachable by ip address and FQDN (cppm-node1.domain.xyz)

Sync problem solved.

What are the CPPM and switch requirements for CoA actions?

 

On the switch set:
radius-server host 192.168.1.100 "strong_pass"
radius-server host 192.168.1.100 dyn-authorization
radius-server host 192.168.1.100 time-window 0

 

On CPPM set:
switch added to the device list,

Vendor Name: Hewlett-Packard-Enterprise,
Enable RADIUS Dynamic Authorization: Port: 3799,
Enable Insight

 

Switches and cluster CPPM uses the same NTP server.

 

Are any additional settings I didn't mention required?

Hi,

did you solved the problem with IP address change after user login to the system ? I'm facing the similar issue now.

Thanks and best regards

------------------------------
Vaclav Hauser
------------------------------

Original Message:
Sent: Jul 10, 2020 04:45 AM
From: Mateusz Broniarczyk
Subject: host doesn't refresh ip after changing vlan 802.1x

Hi everyone,

I have a problem with ip refresh after changing vlan.
Before a user logs on to the domain he authenticates the station and gets vlan x with the address IP 192.168.1.10
After logging in to the domain and authentication, he gets vlan y with the address 192.168.10.10
Unfortunately, after logging in to the domain, he receives the old address 192.168.1.10. After restarting the network card the user gets the correct address 192.168.10.10.

Any suggestions?