topic Re: HP switch with ISE - port bounce does not happen in Network Access Control

HP switch with ISE - port bounce does not happen

dgaikwad — Wed, 25 Jul 2018 15:27:00 GMT

Hi Experts,

I am facing issue where in I see that a computer connected to a HP switch, goes through authentication and then posture checks.
Comes up as compliant, but the final access is not applied to the port.

I feel that the port-bounce is not going through...

I am using the community provided NAD profile for named as HPWired_CoA_Bounce

Following the complete configuration:

ISE 2.3.0.298 with patch 3

NAM module for EAP Chaining (AnyConnect version 4.5.04029)

HP HPE Comware Software, Version 7.1.070, Release 3208P03

HP Device profile that I am using with port bounce:

Port configuration deployed:

interface GigabitEthernet1/0/5
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 230 untagged
port hybrid pvid vlan 230
undo voice-vlan mode auto
voice-vlan 260 enable
mac-vlan enable
undo stp enable
stp edged-port
undo lldp enable
port bridge enable
poe enable
undo dot1x handshake
dot1x handshake reply enable
dot1x mandatory-domain ciscoise
undo dot1x multicast-trigger
dot1x unicast-trigger
dot1x re-authenticate server-unreachable keep-online
mac-authentication domain ciscoise
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication host-mode multi-vlan
mac-authentication parallel-with-dot1x
port-security port-mode userlogin-secure-or-mac-ext

Following snap showing endpoint compliant, but no port-bounce:

Any pointers or assistance much appreciated.

Thank you!

Re: HP switch with ISE - port bounce does not happen

Francesco Molino — Thu, 26 Jul 2018 04:54:36 GMT

Hi

We see the coa sent by ise.
I've done very few deployment of ise with HP network devices.
You can try with the nad profile HP_Wired_SNMP_CoA which will use snmp oid to bounce the port.

If still not working, you have no choice to call HP to ask what command or snmp oid or dictionary needs to be configured to get a port bounce.

Re: HP switch with ISE - port bounce does not happen

dgaikwad — Thu, 26 Jul 2018 10:28:58 GMT

Yes, we had tried this with SNMP CoA as well, but there was no success. Now we are trying to use the port bounce profile and a weird thing happened.

When I unchecked the port-bounce from the network device profile, the endpoint became compliant and got full access.

So just to check again, I rebooted the computer, and since then, its stuck in a loop, wherein NAM keeps asking for credentials and endpoint goes back to MAB and gets a deny access...

Has anyone faced such an issue.

For further troubleshooting of this issue, I will try andanget a HP engineer involved and see what I can do.

Thank you

Re: HP switch with ISE - port bounce does not happen

Francesco Molino — Thu, 26 Jul 2018 18:29:36 GMT

Have you tried removing the posture xml file from anyconnect folder and test it using a fresh config?

Re: HP switch with ISE - port bounce does not happen

dgaikwad — Fri, 27 Jul 2018 07:21:01 GMT

I haven't thought of removing posture.xml and testing it. Will try this out and post results.

Just as a note, what does the posture.xml store?

Does it store the details about the last PSN contacted for performing posture and updates?

Thank you,

Re: HP switch with ISE - port bounce does not happen

Francesco Molino — Sat, 28 Jul 2018 02:36:15 GMT

Yes the xml has information of PSN where the laptop connects to to get their check/update.

Have you also installed DART on the client to get logs on what's happening on the device.

Re: HP switch with ISE - port bounce does not happen

dgaikwad — Mon, 30 Jul 2018 06:40:20 GMT

I need to check that, since the machine is on the other end of the planet.

Will have that checked and post it.

Thank you,

Re: HP switch with ISE - port bounce does not happen

dgaikwad — Fri, 10 Aug 2018 07:08:23 GMT

It turned out that, the issue was the policy was itself.

Since NAM is being used to perform EAP chaining, the user and machine authentication was happening, but the policy was disabled during some troubleshooting session.

Causing all the endpoints to go the MAB and failed as they were not IP phones (as configured on the authorization policy).

Rectified the issue and since then were able to run authentication and posture just fine on the HP switch.

Thanks for all the pointers, I think they can be very well used while troubleshooting posture issues.

This case is deemed closed now!