We have double confimed the radius key on server and ISE are the same.

Is there any guideline how to troubleshoot H3C device profile?

Thanks

I worked with Tommy for this case and attached please find the NAD profile, screenshots of Allowed Protocol settings and screenshot of authentication policy.

For the device profile, I followed the guide to delete the HP profile and create a new one with H3C only profile.

For allowed protocol settings and authentication policy, I used the default setting with no modifications.

Thanks in advance for help!

Terry

Had a chance to load the NAD Profile. From what I can tell, I would suggest unchecking the CHAP option in the Authentication section of NAD Profile and then try removing all option under and including PAP/ASCII.

If that does not resolve, then recommend enable "Via PAP/ASCII"

If still not working, select "Check Calling-Station-Id equals MAC address"F

Finally if still not working select "Check Password". 

I have seen different behavior in couple versions where Process Host Lookup was sufficient if Service Type is Call Check.  However, I have also seen case where need to enable the sub-parameters.  Since Call Check, Calling ID should be MAC, although in different formats.  Some H3C documentation indicates username will equal password. 

Although it should not be an issue due to ISE normalization, you could also try changing the MAC address format using the mac-authentication command:

mac-authentication user-name-format mac-address [ with-hyphen | without-hyphen ] [ lowercase | uppercase ]

This example sets username=password=MAC and adds hyphens as in xx-xx-xx-xx-xx-xx and all uppercase:

mac-authentication user-name-format mac-address with-hyphen uppercase

/Craig

Hi Craig,

Thanks very much for your help!

I am now able to use the attached config to do dot1x auth with customer's AD.

However, H3C S5130 do not have command "dhcp relay server-group" which is used to point dhcp relay to ISE Guest VLAN. I do not able to get IP from ISE's DHCP service and for further posture processes.

Do you know any alternative commands with same function?

Also, when the dot1x device get an IP? Is this after dot1x auth and vlan assignment?

Thanks again!

Best Regards,

Terry

Your config shows local DHCP server.  Typically with such a config, the switch cannot both serve and relay DHCP.  I would defer to H3C documentation as to how to config but quick search provided the following: https://community.hpe.com/t5/Comware-Based/How-to-change-the-DHCP-relay-helper-on-H3C-S5800-Series-switch/td-p/6730709

It looks like you already have this configured but could be conflicting with local DHCP server as previously noted.  ISE does not serve DHCP when used for profiling only.  ISE can serve DHCP, but only for case where need to it to handle URL Redirection for guest flows in an Auth VLAN (available in ISE 2.1).  If not requiring CWA, then likely this deployment is not required.  If required, then certainly need to disable local switch DHCP for Auth VLAN.

802.1X in Closed Mode (typical mode available from 3rd-party switches) means no IP connectivity until post auth which also means no DHCP until after successful auth.  In Low Impact mode (Cisco switches) then possible to allow DHCP prior to 802.1X auth completes.