06-29-2018 01:02 AM
Hi Experts,
There are these 2 models of switches that we are integrating with ISE. H3C 3600 and 5120. Both of them are running Comware 5 OS.
We are using the NAD profiles for HP (HPWired_CoA_Bounce):
I have also manually added the MIB values, so that I can push the along with it.
Wehave seen while testing is that, if we are using normal dot1x authentication it is working just fine, the user authenticates and gets the access as per the ACL.
But, when I try to do the posture as per this policy here:
So when endpoints hits the unknown posture, and the user enters credentials, its stays stuck in authenticating state.
Here NAM is being used, along with machine and user authentication.
Following is the configuration:
ISE 2.3 patch 3
Switch: HP 3600
OS ver Version 5.20.99
Port Config:
interface Ethernet1/0/1
port link-mode bridge
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 605 tagged
port hybrid vlan 230 307 untagged
port hybrid pvid vlan 307
voice vlan 260 enable
mac-vlan enable
poe enable
poe priority critical
lldp notification remote-change enable
lldp compliance admin-status cdp txrx
undo dot1x multicast-trigger
dot1x unicast-trigger
mac-authentication max-user 5
mac-authentication domain ise
mac-authentication timer auth-delay 15
mac-authentication host-mode multi-vlan
Is this the right behaviour?
Is this something that is expected?
Thank you!
Solved! Go to Solution.
07-02-2018 12:10 AM
Hi,
As far as i know HPE-Captive-Portal-URL radius attribute intended only for HPE procurve switches only and not for Comware 5 OS.
please remove that and try again using AuthVLAN flow posture test.
06-29-2018 06:10 PM
If stuck in authenticating state means not completing authentication at all, my guess is the authorization profile "HP-Switch-Unknown-Posture" has some attribute(s) your switch does not like.
The ISE pre-built HPWired_SNMP_CoA device profile shows redirect not supported so please ensure the authorization profile does not have any Web Redirection.
07-01-2018 04:18 AM
Hi,
it seems that it related to authz profile configuration (VLAN or ACL).
We need more information about your test environment ( VLAN for posture or ACL if using)
Can you please share your "HP-Switch-Unknown-Posture" authz profile configuration?
Are you doing posture using AuthVLAN flow (DNS/DHCP)?
07-01-2018 11:15 PM
Hi,
We are using an ACL for authentication and then provide full access to user if he completes authentication.
Both these are achieved used ACLs.
Here is the posture unknown profile:
Following is the ACL used:
[NAC-3600]dis acl 3000
Advanced ACL 3000, named -none-, 5 rules,
ACL's step is 5
rule 0 permit udp destination-port eq bootps
rule 5 permit udp destination-port eq bootpc
rule 10 permit udp destination-port eq dns
rule 15 permit ip destination <ISE Server IP> 0
rule 20 deny ip
Thank you,
07-02-2018 12:10 AM
Hi,
As far as i know HPE-Captive-Portal-URL radius attribute intended only for HPE procurve switches only and not for Comware 5 OS.
please remove that and try again using AuthVLAN flow posture test.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide