cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3346
Views
0
Helpful
7
Replies

Dynamic VLAN assignment on Aruba 2930F not working

dgaikwad
Level 5
Level 5

Hi Experts,

We have this external SQL database that has names of the VLAN and mac-addresses of computers that are specific to some locations. So, as per the flow the endpoint will connect to wired network. Then authentication and compliance check will happen as normal.
When the endpoint becomes compliant, the rules will query for location, based on the location (it queries for the NAD location, using device.location from the conditions), the authz profile will check if the endpoint is part of that location. If it is, then a different VLAN is assigned if not then its moved to a limited access VLAN.

As here:

VLAN policy rules.JPG

I also see that the CoA is happening, as here:

VLAN succes.JPG

But then when I check the swithc, there seems to be delay and it keeps bouncing between, connected and authenticating like this:

Access Policy Details :

   COS Map         : Not Defined           In Limit Kbps       : Not Set

   Untagged VLAN   : 231                   Out Limit Kbps      : Not Set

   Tagged VLANs    : No Tagged VLANs

   Port Mode       : 1000FDx

   RADIUS ACL List : No Radius ACL List

 

And after a few seconds:

 

  Access Policy Details :

   COS Map         : Not Defined           In Limit Kbps       : Not Set

   Untagged VLAN   : Not Set               Out Limit Kbps      : Not Set

   Tagged VLANs    : No Tagged VLANs

   Port Mode       : 1000FDx

   RADIUS ACL List : No Radius ACL List


There are instance where I do see that the VLAN change has happened, but then again goes back to bouncing between these two states.

Here is the setup that we are using:
ISE 2.3

HP 2930F

Aruba OS WC.16.01.0004

the NAD profile looks like this:

VLAN NAD profil.JPG

Any ideas, what am I missing here in the config?

I have been trying to get it work, since a few days, but there has been no avail, any pointers?

7 Replies 7

M. Wisely
Level 4
Level 4

I can see a difference between the nad profile you have for you 2930F and ours. In the port bounce section you have tunnel medium type and tunnel type which are not present in our nad profile.

I had added those attribute from the while I was comparing to configuration for 2930F given in ClearPass configuration document.

I tested with those attributes, but there has been no effect and since I have reverted by NAD profile configuration to this:

VLAN NAD profile 2.JPG

Not clear whether you got it working or not.

The closest info I can find is  HPE_ArubaOS-NAD-Profile

 

No, that did not work for me though.

The NAD profile that I am using is, HPWired_CoA_Bounce.

Even while removing those two other attributes for tunnel type and tunnel medium I am seeing that switch keeps bouncing between authentication and no vlan rejected error.

Please engage with HPE support. This particular switch model and OS have not tested by our teams.

Seems that we have already engaged with the HPE support on this. There are some tests that are needed to be carried out as per the suggestion from HPE Engineer.

Will check and update on the same.

We also did some more tests to see if there was really an issue from ISE:

  1. Removed the posture check from policy
  2. Added the condition to check only for use and machine succeed
  3. Applied the VLAN via the authorization profile

Observations:

  1. When the user authenticates, the new VLAN is assigned only for one second
  2. After which again the switch flapping between authenticating and connecting 
  3. The endpoint does not get an IP address
  4. After about 1600 seconds, an APIPA address is assigned to the endpoint

To make sure that there was no issue with the VLAN being assigned, tested by just keeping the access VLAN on the port and the endpoint got the IP address, so issue with the VLAN is also out of question.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: