02-13-2018 03:36 PM
Dear all,
We are working on a POV using ISE 2.3 and H3C S5130.
We are following the 3rd party H3C config in https://communities.cisco.com/docs/DOC-70347 but looks like we hit authentication error.
Is there any guideline how to troubleshoot H3C integration?
Thanks, Tommy
Solved! Go to Solution.
02-15-2018 06:06 AM
Need to compare the authentication and host lookup settings to what is being sent by NAD. Send me profile (or screenshot of the NAD Profile Authentication settings) and screenshots of Allowed Protocol settings and screenshot of authentication policy.
02-14-2018 06:44 AM
Likely an issue with NAD Profile and settings for Auth and Host Lookup. Indicators include auth method as PAP and shared secret mismatch.
02-14-2018 09:13 AM
We have double confimed the radius key on server and ISE are the same.
Is there any guideline how to troubleshoot H3C device profile?
Thanks
02-15-2018 06:06 AM
Need to compare the authentication and host lookup settings to what is being sent by NAD. Send me profile (or screenshot of the NAD Profile Authentication settings) and screenshots of Allowed Protocol settings and screenshot of authentication policy.
 
					
				
		
02-20-2018 09:29 AM
I worked with Tommy for this case and attached please find the NAD profile, screenshots of Allowed Protocol settings and screenshot of authentication policy.
For the device profile, I followed the guide to delete the HP profile and create a new one with H3C only profile.
For allowed protocol settings and authentication policy, I used the default setting with no modifications.
Thanks in advance for help!
Terry
03-07-2018 08:33 PM
Had a chance to load the NAD Profile. From what I can tell, I would suggest unchecking the CHAP option in the Authentication section of NAD Profile and then try removing all option under and including PAP/ASCII.
If that does not resolve, then recommend enable "Via PAP/ASCII"
If still not working, select "Check Calling-Station-Id equals MAC address"F
Finally if still not working select "Check Password".
I have seen different behavior in couple versions where Process Host Lookup was sufficient if Service Type is Call Check. However, I have also seen case where need to enable the sub-parameters. Since Call Check, Calling ID should be MAC, although in different formats. Some H3C documentation indicates username will equal password.
Although it should not be an issue due to ISE normalization, you could also try changing the MAC address format using the mac-authentication command:
mac-authentication user-name-format mac-address [ with-hyphen | without-hyphen ] [ lowercase | uppercase ]
This example sets username=password=MAC and adds hyphens as in xx-xx-xx-xx-xx-xx and all uppercase:
mac-authentication user-name-format mac-address with-hyphen uppercase
/Craig
 
					
				
		
03-12-2018 08:13 AM
Hi Craig,
Thanks very much for your help!
I am now able to use the attached config to do dot1x auth with customer's AD.
However, H3C S5130 do not have command "dhcp relay server-group" which is used to point dhcp relay to ISE Guest VLAN. I do not able to get IP from ISE's DHCP service and for further posture processes.
Do you know any alternative commands with same function?
Also, when the dot1x device get an IP? Is this after dot1x auth and vlan assignment?
Thanks again!
Best Regards,
Terry
03-12-2018 11:57 AM
Your config shows local DHCP server. Typically with such a config, the switch cannot both serve and relay DHCP. I would defer to H3C documentation as to how to config but quick search provided the following: https://community.hpe.com/t5/Comware-Based/How-to-change-the-DHCP-relay-helper-on-H3C-S5800-Series-switch/td-p/6730709
It looks like you already have this configured but could be conflicting with local DHCP server as previously noted. ISE does not serve DHCP when used for profiling only. ISE can serve DHCP, but only for case where need to it to handle URL Redirection for guest flows in an Auth VLAN (available in ISE 2.1). If not requiring CWA, then likely this deployment is not required. If required, then certainly need to disable local switch DHCP for Auth VLAN.
802.1X in Closed Mode (typical mode available from 3rd-party switches) means no IP connectivity until post auth which also means no DHCP until after successful auth. In Low Impact mode (Cisco switches) then possible to allow DHCP prior to 802.1X auth completes.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide