cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1467
Views
5
Helpful
7
Replies
Highlighted
Beginner

H3C S5130 integration with ISE 2.3

Dear all,

We are working on a POV using ISE 2.3 and H3C S5130.

We are following the 3rd party H3C config in https://communities.cisco.com/docs/DOC-70347 but looks like we hit authentication error.

Is there any guideline how to troubleshoot H3C integration?

Thanks, Tommy

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Need to compare the authentication and host lookup settings to what is being sent by NAD.  Send me profile (or screenshot of the NAD Profile Authentication settings) and screenshots of Allowed Protocol settings and screenshot of authentication policy.

View solution in original post

7 REPLIES 7
Highlighted
Advocate

Likely an issue with NAD Profile and settings for Auth and Host Lookup.  Indicators include auth method as PAP and shared secret mismatch.

Highlighted

We have double confimed the radius key on server and ISE are the same.

Is there any guideline how to troubleshoot H3C device profile?

Thanks

Highlighted

Need to compare the authentication and host lookup settings to what is being sent by NAD.  Send me profile (or screenshot of the NAD Profile Authentication settings) and screenshots of Allowed Protocol settings and screenshot of authentication policy.

View solution in original post

Highlighted

I worked with Tommy for this case and attached please find the NAD profile, screenshots of Allowed Protocol settings and screenshot of authentication policy.


For the device profile, I followed the guide to delete the HP profile and create a new one with H3C only profile.


For allowed protocol settings and authentication policy, I used the default setting with no modifications.


Thanks in advance for help!

Terry

Highlighted

Had a chance to load the NAD Profile. From what I can tell, I would suggest unchecking the CHAP option in the Authentication section of NAD Profile and then try removing all option under and including PAP/ASCII.

If that does not resolve, then recommend enable "Via PAP/ASCII"

If still not working, select "Check Calling-Station-Id equals MAC address"F

Finally if still not working select "Check Password". 

I have seen different behavior in couple versions where Process Host Lookup was sufficient if Service Type is Call Check.  However, I have also seen case where need to enable the sub-parameters.  Since Call Check, Calling ID should be MAC, although in different formats.  Some H3C documentation indicates username will equal password. 

Although it should not be an issue due to ISE normalization, you could also try changing the MAC address format using the mac-authentication command:

mac-authentication user-name-format mac-address [ with-hyphen | without-hyphen ] [ lowercase | uppercase ]


This example sets username=password=MAC and adds hyphens as in xx-xx-xx-xx-xx-xx and all uppercase:

mac-authentication user-name-format mac-address with-hyphen uppercase


/Craig

Highlighted

Hi Craig,

Thanks very much for your help!

I am now able to use the attached config to do dot1x auth with customer's AD.

However, H3C S5130 do not have command "dhcp relay server-group" which is used to point dhcp relay to ISE Guest VLAN. I do not able to get IP from ISE's DHCP service and for further posture processes.

Do you know any alternative commands with same function?

Also, when the dot1x device get an IP? Is this after dot1x auth and vlan assignment?

Thanks again!

Best Regards,

Terry

Highlighted

Your config shows local DHCP server.  Typically with such a config, the switch cannot both serve and relay DHCP.  I would defer to H3C documentation as to how to config but quick search provided the following: https://community.hpe.com/t5/Comware-Based/How-to-change-the-DHCP-relay-helper-on-H3C-S5800-Series-switch/td-p/6730709

It looks like you already have this configured but could be conflicting with local DHCP server as previously noted.  ISE does not serve DHCP when used for profiling only.  ISE can serve DHCP, but only for case where need to it to handle URL Redirection for guest flows in an Auth VLAN (available in ISE 2.1).  If not requiring CWA, then likely this deployment is not required.  If required, then certainly need to disable local switch DHCP for Auth VLAN.

802.1X in Closed Mode (typical mode available from 3rd-party switches) means no IP connectivity until post auth which also means no DHCP until after successful auth.  In Low Impact mode (Cisco switches) then possible to allow DHCP prior to 802.1X auth completes. 

Content for Community-Ad