This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Configuring the MAB for IP phone was successful and I can get the IP phones to a right voice VLAN using the authz profile.
Now what happens is that, when I connect a computer behind the IP phone,
Authentication is successful
Goes for compliance check
Comes out of compliant
But,when I check ISE live logs, it still shows :
|Device CoA type||RFC 5176|
|Device CoA port||3799|
|CoAReason||posture status changed|
|Network Device Profile||HPWired_CoA_Bounce_H3C|
|Device Type||Device Type#All Device Types|
|Device IP Address||10.226.232.23|
But the computer shows that its limited connectivity.
If I connect the computer directly to the switch port, computer goes to compliant state and access is granted as per the policy.
I am using the following:
ISE ver 126.96.36.1998 patch 3
Switch Hp H3C Comware 7
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 230 untagged
port hybrid pvid vlan 230
voice-vlan 260 enable
undo stp enable
undo lldp enable
port bridge enable
undo dot1x handshake
dot1x handshake reply enable
undo dot1x multicast-trigger
dot1x re-authenticate server-unreachable keep-online
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication host-mode multi-vlan
port-security port-mode userlogin-secure-or-mac-ext
Is there something that I am missing here?
In this case, the phone stays connected.
It the computer that stays in the limited connectivity, it is as if like switch recieved the bounce or re-auth for the, but since there are two domains, it does not whom to send the re-auth to?
Is that something observed before?
Is there something missing from the configuration then?
Since I can see that, the computer gets compliant, but then stays in limited connectivity.
Also, I can see that ISE shows it as compliant, but nothing happens at the computer's end...
But, if I connect the same machine directly to the switch port, all works fine, the computer gets compliant and gets full access as per the authz
It turned out that, the issue was the policy was itself.
Since NAM is being used to perform EAP chaining, the user and machine authentication was happening, but the policy was disabled during some troubleshooting session.
Causing all the endpoints to go the MAB and failed as they were not IP phones (as configured on the authorization policy).
Rectified the issue and since then were able to run authentication and posture just fine on the HP switch.
Thanks for all the pointers, I think they can be very well used while troubleshooting posture issues.
We have requested another switch of the same model, so that we are sure about the testing that we conducted earlier.
This case is deemed closed now!