Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1530
Views
5
Helpful
5
Replies

I am using ISE2.0 with HP Procurve switch 2920 which supports CoA.

Go to solution
anil-sudharsanan.valanparambil
Level 1
Level 1

‎01-04-2017 04:25 AM

I want know how to configure CoA attributes under network device profile .

Procurve does support port-bounce and Disconnect.

I want to know how can a CoA message can be send to NAD which puts the client into a quarantine vlan by this.

Is it possible to use CoA push, if so how can I send this manually.

1 Accepted Solution

Accepted Solutions

Go to solution
Jeffrey Jones
Level 5
Level 5

‎01-04-2017 12:05 PM

You have to create a new HP Device Profile, and also create all the HP attributes in the dictionary, the HP Port Bounce one is missing from the default profile because HP has not update the RFC since 2006.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jeffrey Jones
Level 5
Level 5

‎01-04-2017 12:05 PM

You have to create a new HP Device Profile, and also create all the HP attributes in the dictionary, the HP Port Bounce one is missing from the default profile because HP has not update the RFC since 2006.

0 Helpful

Go to solution
anil-sudharsanan.valanparambil
Level 1
Level 1
In response to Jeffrey Jones

‎01-04-2017 06:49 PM

Thank you Jeffery for the quick reply to my post

I have already created a NAD profile for HP switch and added HP port bounce in dictionary file.

Port-bounce is working for me when i send from endpoint profiling.

I have configured IETF attributes Tunnel-pvt-ID,tunnel-type and tunnel-medium-type under CoA Push option.

Now I want to manually send this to my NAD so that it will change the vlan dynamically to a quarantine vlan for the current

authenticated client.

This is for quarantining the client so that access to any resources will be denied.

If I use port-bounce client is getting authenticated after the bounce time period.

Another option is to use port-shutdown option but HP NAD doesnt support it.

0 Helpful

Go to solution
Jeffrey Jones
Level 5
Level 5
In response to anil-sudharsanan.valanparambil

‎01-17-2017 11:00 AM

yes, was very surprised HP does not support something as simple a port-shutdown command like the rest of the switches in the world do.

0 Helpful

Go to solution
davidgranathkarlsson
Level 1
Level 1

‎10-23-2017 02:03 PM

Hi

You may use snmp-CoA as a workaround.

For re-auth (which, as far as I'm concerned isn't supported on procurve devices) OID 1.3.6.1.4.1.11.2.14.11.5.1.25.1.2.2.1.4 (object hpicfDot1xSMAuthReauthenticate) is working perfectly fine. Or 1.3.6.1.4.1.11.2.14.11.5.1.19.2.1.1.4 (hpicfUsrAuthPortReauthenticate) for MAB implementations.

Port-bouce using snmp, technically, isn't an issue, however when providing your ISE-nad-profile with the OIDs for port disable and then port enable, ISE will send both snmp set commands at the same time and the switch ends up doing nothing. I've tried running those snmp set commands manually with a 1 second delay for the port enable command and those tests were successful.

Obviously CoA port-shutdown using snmp isn't a problem since it's just one snmp set command and not two

0 Helpful

Go to solution
Jeffrey Jones
Level 5
Level 5
In response to davidgranathkarlsson

‎10-23-2017 02:09 PM

the SNMP does not work as well as you would like it too, customer ended up replacing all HP switches with Cisco due too so many issues.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents