Re: CoA not working

dgaikwad · ‎06-21-2018

Hi All,

Configuring the MAB for IP phone was successful and I can get the IP phones to a right voice VLAN using the authz profile.

Now what happens is that, when I connect a computer behind the IP phone,

Authentication is successful

Goes for compliance check

Comes out of compliant

But,when I check ISE live logs, it still shows :

ConfigVersionId	7199
Device CoA type	RFC 5176
Device CoA port	3799
NetworkDeviceProfileId	26b0501b-9e48-48c7-b8c4-99a0e791bcca
IsThirdPartyDeviceFlow	true
HP-Port-Bounce-Host	12
AcsSessionID	58d8f8f8-04f7-451b-bc21-3d36b63adfe2
CoASourceComponent	Posture
CoAReason	posture status changed
CoAType	Reauthentication
Network Device Profile	HPWired_CoA_Bounce_H3C
Software Version	Unknown
Location	Location#All Locations
Device Type	Device Type#All Device Types
Device IP Address	10.226.232.23

But the computer shows that its limited connectivity.

If I connect the computer directly to the switch port, computer goes to compliant state and access is granted as per the policy.

I am using the following:

ISE ver 2.3.0.298 patch 3

Switch Hp H3C Comware 7

Port config:

interface GigabitEthernet1/0/5

port link-type hybrid

undo port hybrid vlan 1

port hybrid vlan 230 untagged

port hybrid pvid vlan 230

voice-vlan 260 enable

mac-vlan enable

undo stp enable

stp edged-port

undo lldp enable

port bridge enable

poe enable

undo dot1x handshake

dot1x handshake reply enable

undo dot1x multicast-trigger

dot1x unicast-trigger

dot1x re-authenticate server-unreachable keep-online

mac-authentication re-authenticate server-unreachable keep-online

mac-authentication host-mode multi-vlan

mac-authentication parallel-with-dot1x

port-security port-mode userlogin-secure-or-mac-ext

Is there something that I am missing here?

Any ideas?

Thank you,
Dinesh

Craig Hyps · ‎06-21-2018

If bouncing the port as part of 3rd-party CoA, you could be bouncing phone connection which will cause PC to lose link.

dgaikwad · ‎06-21-2018

In this case, the phone stays connected.

It the computer that stays in the limited connectivity, it is as if like switch recieved the bounce or re-auth for the, but since there are two domains, it does not whom to send the re-auth to?

Is that something observed before?

Craig Hyps · ‎06-22-2018

You cannot truly bounce the port and have the phone stay connected without a reconnect.

dgaikwad · ‎06-25-2018

Is there something missing from the configuration then?

Since I can see that, the computer gets compliant, but then stays in limited connectivity.

Also, I can see that ISE shows it as compliant, but nothing happens at the computer's end...

But, if I connect the same machine directly to the switch port, all works fine, the computer gets compliant and gets full access as per the authz

smashash · ‎07-02-2018

hi,

it seems there is not session stitching post CoA.

Can you please attach the live logs page ( including the steps section)?

dgaikwad · ‎08-10-2018

It turned out that, the issue was the policy was itself.

Since NAM is being used to perform EAP chaining, the user and machine authentication was happening, but the policy was disabled during some troubleshooting session.

Causing all the endpoints to go the MAB and failed as they were not IP phones (as configured on the authorization policy).

Rectified the issue and since then were able to run authentication and posture just fine on the HP switch.

Thanks for all the pointers, I think they can be very well used while troubleshooting posture issues.

We have requested another switch of the same model, so that we are sure about the testing that we conducted earlier.