Comware

Hello,

as meanwhile I'm clueless im hoping for community Input:

Current Setup:

HPE 5130 with activated Port Security and therefore 802.1X authenticating against Clearpass

What's Working:
Machine based Auth via 802.1X . Vlan Assignment even works with User Auth, so after Windows Login a user gets new VLAN ID ( EAP-TLS). I can bounce ports via Access Tracker successfully. I can see the Traffic via Wireshark and the Switch sends back a COA-ACK (H3C and Cisco Port bounce work, although my CPPM seems to be on 6.11.2.). SO Actually I would state COA Bounce is working as expected when doing manually.

What's not Working: 

The User Auth works, but the Client does not recognise, that a new DHCP Lease should be requested. Therefore there are SSO Settings in the LAN GPO and the Check for dynamic VLAN is set Properly. This works with Aruba Switches, but not with the one Comware. When I add the (First tried with H3C , then with Cisco Bounce Profile) to the Enforcement Policy, simply no COA is sent to the Switch. I can not see any Traffic via Wireshark. It really seems Clearpass does not send any COA Packacke through the Enforcement Policy despite of having it defined over there.

This is causing, that the Client does not recognise a Link down and up to get a new DHCP Lease.

I have added two Screenshots to show up my Enforcement Policy and my Rules over there.

I know  - I have read, dynamic vlan assignment is not that nice. possibly your advise will be: go for advanced filtering on Layer3. But: It should work and on Aruba it works. 

So do you have any input for me to make the Port Bounce working in the Enforcement Policy after the VLAN Assignment so the Clients do get a DHCP Lease?

Thanks in Advance,
Dennis 

Hello,

as meanwhile I'm clueless im hoping for community Input:

Current Setup:

HPE 5130 with activated Port Security and therefore 802.1X authenticating against Clearpass

What's Working:
Machine based Auth via 802.1X . Vlan Assignment even works with User Auth, so after Windows Login a user gets new VLAN ID ( EAP-TLS). I can bounce ports via Access Tracker successfully. I can see the Traffic via Wireshark and the Switch sends back a COA-ACK (H3C and Cisco Port bounce work, although my CPPM seems to be on 6.11.2.). SO Actually I would state COA Bounce is working as expected when doing manually.

What's not Working: 

The User Auth works, but the Client does not recognise, that a new DHCP Lease should be requested. Therefore there are SSO Settings in the LAN GPO and the Check for dynamic VLAN is set Properly. This works with Aruba Switches, but not with the one Comware. When I add the (First tried with H3C , then with Cisco Bounce Profile) to the Enforcement Policy, simply no COA is sent to the Switch. I can not see any Traffic via Wireshark. It really seems Clearpass does not send any COA Packacke through the Enforcement Policy despite of having it defined over there.

This is causing, that the Client does not recognise a Link down and up to get a new DHCP Lease.

I have added two Screenshots to show up my Enforcement Policy and my Rules over there.

I know  - I have read, dynamic vlan assignment is not that nice. possibly your advise will be: go for advanced filtering on Layer3. But: It should work and on Aruba it works. 

So do you have any input for me to make the Port Bounce working in the Enforcement Policy after the VLAN Assignment so the Clients do get a DHCP Lease?

Thanks in Advance,
Dennis 

Hello,

as meanwhile I'm clueless im hoping for community Input:

Current Setup:

HPE 5130 with activated Port Security and therefore 802.1X authenticating against Clearpass

What's Working:
Machine based Auth via 802.1X . Vlan Assignment even works with User Auth, so after Windows Login a user gets new VLAN ID ( EAP-TLS). I can bounce ports via Access Tracker successfully. I can see the Traffic via Wireshark and the Switch sends back a COA-ACK (H3C and Cisco Port bounce work, although my CPPM seems to be on 6.11.2.). SO Actually I would state COA Bounce is working as expected when doing manually.

What's not Working: 

The User Auth works, but the Client does not recognise, that a new DHCP Lease should be requested. Therefore there are SSO Settings in the LAN GPO and the Check for dynamic VLAN is set Properly. This works with Aruba Switches, but not with the one Comware. When I add the (First tried with H3C , then with Cisco Bounce Profile) to the Enforcement Policy, simply no COA is sent to the Switch. I can not see any Traffic via Wireshark. It really seems Clearpass does not send any COA Packacke through the Enforcement Policy despite of having it defined over there.

This is causing, that the Client does not recognise a Link down and up to get a new DHCP Lease.

I have added two Screenshots to show up my Enforcement Policy and my Rules over there.

I know  - I have read, dynamic vlan assignment is not that nice. possibly your advise will be: go for advanced filtering on Layer3. But: It should work and on Aruba it works. 

So do you have any input for me to make the Port Bounce working in the Enforcement Policy after the VLAN Assignment so the Clients do get a DHCP Lease?

Thanks in Advance,
Dennis