Solved: Re: HP Procurve 2920 NAD Profile

Jeffrey Jones · ‎12-07-2016

So they cisco ISE 2.1 is missing a great deal of the CoA Attributes for the HP switch, namely port shutdown, and port bounce. Does anyone have the strings that need to be in there for HP.. or a proper HP NAD Profile they can share.

Thanks

Craig Hyps · ‎12-14-2016

Not all Cisco-specific CoA directives have comparable options in 3rd-party devices and vice versa. Beyond RFC-based PoD and CoA Request (Push), other implementations would be vendor specific. Most vendors do not have a reauth option but opt instead to use CoA Push. Port Bounce is often implemented as a vendor-specific attribute.

For more specifics on CoA options supported by newer HP code, see Coa and HP 5130 or 5500 series switches - Airheads Community

In general, CoA reauth is not required as ISE has the ability to "stitch" together a terminated session with a successive attempt after terminate/disconnect.

Hope that helps.

Craig

View solution in original post

howon · ‎12-07-2016

Jeffrey, I have created two new NAD profiles you can try for port bounce and terminate. I am not aware of other CoA HPE switches support. See:

HPE-Wired.xml

Jeffrey Jones · ‎12-07-2016

Thanks I tried to import in to ISE and it gave an error.

howon · ‎12-07-2016

I've added additional instructions in the above doc. Please retry.

Jeffrey Jones · ‎12-07-2016

Followed instructions, same error as before.

howon · ‎12-07-2016

I had misspelled the dictionary attribute name in the instructions. Was missing an 'n' in the word 'Bounce'. Try correcting the name:

- Attribute Name: HP-Port-Bounce-Host

Jeffrey Jones · ‎12-07-2016

Yes, i saw the change, made the change and it imported great. So there really isnt a port shutdown command that can be set via CoA to HP switches?

what about Re-authenticate commands? basic, rerun and last... and move vlan, basically move them to vlan 300 which is my remediation vlan.

Jeffrey Jones · ‎12-08-2016

Yes, i saw the change, made the change and it imported great. So there really isnt a port shutdown command that can be set via CoA to HP switches?

what about Re-authenticate commands? basic, rerun and last... and move vlan, basically move them to vlan 300 which is my remediation vlan.

can we get it on in one HPE-COAFH profile

howon · ‎12-08-2016

I have not found any document stating what is supported on their platforms. If you know of such document I can reference it to add more CoA. Or if you know the attributes, that will work as well. Thanks.

Craig Hyps · ‎12-14-2016

Not all Cisco-specific CoA directives have comparable options in 3rd-party devices and vice versa. Beyond RFC-based PoD and CoA Request (Push), other implementations would be vendor specific. Most vendors do not have a reauth option but opt instead to use CoA Push. Port Bounce is often implemented as a vendor-specific attribute.

For more specifics on CoA options supported by newer HP code, see Coa and HP 5130 or 5500 series switches - Airheads Community

In general, CoA reauth is not required as ISE has the ability to "stitch" together a terminated session with a successive attempt after terminate/disconnect.

Hope that helps.

Craig

Jeffrey Jones · ‎12-07-2016

Can we get them in to one profile that would help some.

howon · ‎12-08-2016

The 'Terminate' didn't match exactly to two of the options for disconnect that ISE provides so I made it into two separate profiles. If you want you can combine the two by gleaning the profile information and adding it to one of the CoA actions.