10-30-2018 04:36 AM
Hi Experts,
We have this external SQL database that has names of the VLAN and mac-addresses of computers that are specific to some locations. So, as per the flow the endpoint will connect to wired network. Then authentication and compliance check will happen as normal.
When the endpoint becomes compliant, the rules will query for location, based on the location (it queries for the NAD location, using device.location from the conditions), the authz profile will check if the endpoint is part of that location. If it is, then a different VLAN is assigned if not then its moved to a limited access VLAN.
As here:
I also see that the CoA is happening, as here:
But then when I check the swithc, there seems to be delay and it keeps bouncing between, connected and authenticating like this:
Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : 231 Out Limit Kbps : Not Set
Tagged VLANs : No Tagged VLANs
Port Mode : 1000FDx
RADIUS ACL List : No Radius ACL List
And after a few seconds:
Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : Not Set Out Limit Kbps : Not Set
Tagged VLANs : No Tagged VLANs
Port Mode : 1000FDx
RADIUS ACL List : No Radius ACL List
There are instance where I do see that the VLAN change has happened, but then again goes back to bouncing between these two states.
Here is the setup that we are using:
ISE 2.3
HP 2930F
Aruba OS WC.16.01.0004
the NAD profile looks like this:
Any ideas, what am I missing here in the config?
I have been trying to get it work, since a few days, but there has been no avail, any pointers?
10-30-2018 05:17 AM
I can see a difference between the nad profile you have for you 2930F and ours. In the port bounce section you have tunnel medium type and tunnel type which are not present in our nad profile.
10-31-2018 07:08 AM
I had added those attribute from the while I was comparing to configuration for 2930F given in ClearPass configuration document.
I tested with those attributes, but there has been no effect and since I have reverted by NAD profile configuration to this:
10-31-2018 08:36 PM - edited 10-31-2018 08:37 PM
11-01-2018 05:55 AM
No, that did not work for me though.
The NAD profile that I am using is, HPWired_CoA_Bounce.
Even while removing those two other attributes for tunnel type and tunnel medium I am seeing that switch keeps bouncing between authentication and no vlan rejected error.
11-03-2018 10:06 AM
Please engage with HPE support. This particular switch model and OS have not tested by our teams.
11-04-2018 11:25 PM
Seems that we have already engaged with the HPE support on this. There are some tests that are needed to be carried out as per the suggestion from HPE Engineer.
Will check and update on the same.
11-13-2018 12:12 AM
We also did some more tests to see if there was really an issue from ISE:
Observations:
To make sure that there was no issue with the VLAN being assigned, tested by just keeping the access VLAN on the port and the endpoint got the IP address, so issue with the VLAN is also out of question.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide