Hi Experts,
There are these 2 models of switches that we are integrating with ISE. H3C 3600 and 5120. Both of them are running Comware 5 OS.
We are using the NAD profiles for HP (HPWired_CoA_Bounce):
I have also manually added the MIB values, so that I can push the along with it.
Wehave seen while testing is that, if we are using normal dot1x authentication it is working just fine, the user authenticates and gets the access as per the ACL.
But, when I try to do the posture as per this policy here:
So when endpoints hits the unknown posture, and the user enters credentials, its stays stuck in authenticating state.
Here NAM is being used, along with machine and user authentication.
Following is the configuration:
ISE 2.3 patch 3
Switch: HP 3600
OS ver Version 5.20.99
Port Config:
interface Ethernet1/0/1
port link-mode bridge
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 605 tagged
port hybrid vlan 230 307 untagged
port hybrid pvid vlan 307
voice vlan 260 enable
mac-vlan enable
poe enable
poe priority critical
lldp notification remote-change enable
lldp compliance admin-status cdp txrx
undo dot1x multicast-trigger
dot1x unicast-trigger
mac-authentication max-user 5
mac-authentication domain ise
mac-authentication timer auth-delay 15
mac-authentication host-mode multi-vlan
Is this the right behaviour?
Is this something that is expected?
Thank you!
Accepted Solutions
Hi,
We are using an ACL for authentication and then provide full access to user if he completes authentication.
Both these are achieved used ACLs.
Here is the posture unknown profile:
Following is the ACL used:
[NAC-3600]dis acl 3000
Advanced ACL 3000, named -none-, 5 rules,
ACL's step is 5
rule 0 permit udp destination-port eq bootps
rule 5 permit udp destination-port eq bootpc
rule 10 permit udp destination-port eq dns
rule 15 permit ip destination <ISE Server IP> 0
rule 20 deny ip
Thank you,
