Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

CPPM Wired Policy Enforcement: PoE bounce

This thread has been viewed 44 times

  • 1.  CPPM Wired Policy Enforcement: PoE bounce

    Posted Apr 26, 2019 12:21 PM

    I've noticed that some devices that are PoE-powered, do not honor the bounce port CoA from CPPM in the following way. The HPE-Port-Bounce-Host message does indeed disable the port. However, some PoE devices will not try to renew their IP if they keep power but link drops. Most devices, I have found, handle the port drop gracefully and the CoA goes off without a hitch. However, devices such as some phones, will not try to renew their IP and just stay up with an IP in the old VLAN.

    Example: 
    1. Phone powers up on default VLAN 20.

    2. CPPM profiles device, assigns VLAN 50, bounces port.

    3. Phone stays powered up, but does not renew IP regardless of port admin status.

        a. As a consequence, it has a VLAN 20 IP, but port is untagging packets for VLAN 50.

    4. Bounce power on port, and phone comes up as it should in the correct VLAN 50. (because it's already profiled)

     

    Is there a way to handle this scenario gracefully? Should we lean on the manufacturer of the endpoint? Can Aruba develop a RADIUS VSA to drop power on a port?



  • 2.  RE: CPPM Wired Policy Enforcement: PoE bounce

    EMPLOYEE
    Posted Apr 26, 2019 12:23 PM
    There is no way to drop power via a RADIUS response.


  • 3.  RE: CPPM Wired Policy Enforcement: PoE bounce

    Posted Apr 26, 2019 12:28 PM

    Thanks, Tim.

     

    I'm assuming you mean currently?

    Is it a possibility to add this feature?

     

    I'm curious if there is a workaround besides waiting it out. Dynamic Seg. is an impossible sell, otherwise.



  • 4.  RE: CPPM Wired Policy Enforcement: PoE bounce

    EMPLOYEE
    Posted Apr 26, 2019 12:46 PM
    Currently. You’d need to reach out to your Aruba account team about roadmap.


  • 5.  RE: CPPM Wired Policy Enforcement: PoE bounce

    MVP GURU
    Posted Apr 28, 2019 09:16 AM

    it will not be possible using API switch (and reset poe ?)



  • 6.  RE: CPPM Wired Policy Enforcement: PoE bounce

    Posted Apr 28, 2019 02:02 PM

    Clearpass cannot store the cookie required for the login and subsequent commands as far as I can tell. 

     

    Another hurdle is the fact that cycling the power is a multiple step (cmd) process, (conf t, int 1, no power, <WAIT>, power) as shown below.

    If there was a one-step API call for this, it would help. However, I don't think this is the correct route moving forward. There should be a RADIUS VSA for this. Similar to HP-Bounce-Port, except HP-Bounce-POE

     

    def poe_recycle(baseurl, cookie_header, port):
    """
    Bounce power on any given port on switch
    :param baseurl: imported baseurl variable
    :param cookie_header: Parse cookie resulting from successful loginOS.login_os(baseurl)
    :return: Disable and enable POE on any given port. Print the status on screen
    """
    logging.info("Starting Power recycle for Port {}".format(port))
    cmd = "configure terminal"
    common.anycli(baseurl, cmd, cookie_header)
    cmd = "interface " + port
    common.anycli(baseurl, cmd, cookie_header)
    cmd = "no power-over-ethernet"
    common.anycli(baseurl, cmd, cookie_header)
    logging.info("Power disabled for Port {}".format(port))
    cmd = "power-over-ethernet"
    common.anycli(baseurl, cmd, cookie_header)
    logging.info("Power enabled for Port {}".format(port)


  • 7.  RE: CPPM Wired Policy Enforcement: PoE bounce

    MVP GURU
    Posted Apr 29, 2019 03:53 AM

    There is a API call for reset a PoE

    /poe/ports/X/reset



  • 8.  RE: CPPM Wired Policy Enforcement: PoE bounce

    EMPLOYEE
    Posted Apr 29, 2019 11:00 AM
    Unfortunately the switch’s REST API is nonstandard from an authN and authZ standpoint so there is no way for CPPM to make an API call to the switch.


  • 9.  RE: CPPM Wired Policy Enforcement: PoE bounce

    Posted Sep 28, 2022 04:46 AM
    Hello,
    I have the same issue now with Clearpass 6.10.6 and Aei phones connected to AP 303H managed by mobility conductor and 2 mobility controller in cluster.
    there is some enahcements in the new versions?
    Dario

    ------------------------------
    Dario Nardello
    ACMP ACSP ACCP ACEP
    ------------------------------

    Original Message


  • 10.  RE: CPPM Wired Policy Enforcement: PoE bounce

    EMPLOYEE
    Posted Oct 03, 2022 09:33 AM
    I don't think PoE bounce is supported on APs connected to mobility controllers. You may check with Aruba support to get a fully confident answer.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 11.  RE: CPPM Wired Policy Enforcement: PoE bounce

    Posted Jan 17, 2023 01:46 PM
    Having the same issue with Avaya phones.  Phone boots in profile vlan then after the phone is profiled it keeps the profile vlan IP but is authenticated to the voice vlan and in the voice vlan.  Phone sits in discover mode for 20 minutes then reboots itself and everything is fine from that point on.
    Original Message


  • 12.  RE: CPPM Wired Policy Enforcement: PoE bounce

    Posted Jan 18, 2023 02:44 AM
    Hi

    is the phone connected on its own or do you have a computer connected behind which is to be connected in a different VLAN? Is LLDP active on the port?

    Regards,
    Thomas
    Original Message


  • 13.  RE: CPPM Wired Policy Enforcement: PoE bounce

    Posted Jan 18, 2023 07:38 AM
    In my case yes a computer is connected to the back of the phone and on a data vlan as were the phone is on the voice vlan.   Yes LLDP is enabled on all the ports.  If I reboot the phone it comes up correctly with the voice vlan IP after it has been profiled.   If I do not reboot the phone it will reboot on its own after about 20 minutes of discovery attempts and then it will be fine from then on.  So this is kind of a one time profile issue.  Lucky for me we moved to softphones and there are fewer and fewer desk phones out there.  Most of them have already been profiled.
    Original Message


  • 14.  RE: CPPM Wired Policy Enforcement: PoE bounce

    Posted Jan 18, 2023 09:21 AM

    Hi,

    as you mentione "profile vlan" - make sure to define a very short lease-time; that should be OK for pure profiling vlan and those phone should work much faster.....and without needing to "bounce PoE".


    Original Message


  • 15.  RE: CPPM Wired Policy Enforcement: PoE bounce

    Posted Jan 18, 2023 11:08 AM
    Thanks Jochem I like that idea but in my case the profile vlan is also the guest vlan.
    Original Message