Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2289
Views
10
Helpful
7
Replies

HP switch with ISE - port bounce does not happen

Go to solution
dgaikwad
Level 5
Level 5

‎07-25-2018 08:27 AM

Hi Experts,

 

I am facing issue where in I see that a computer connected to a HP switch, goes through authentication and then posture checks.
Comes up as compliant, but the final access is not applied to the port.

I feel that the port-bounce is not going through...

I am using the community provided NAD profile for named as HPWired_CoA_Bounce

 

Following the complete configuration:

ISE 2.3.0.298 with patch 3

NAM module for EAP Chaining (AnyConnect version 4.5.04029)

HP HPE Comware Software, Version 7.1.070, Release 3208P03

HP Device profile that I am using with port bounce:

HP Config.jpg

Port configuration deployed:

interface GigabitEthernet1/0/5
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 230 untagged
port hybrid pvid vlan 230
undo voice-vlan mode auto
voice-vlan 260 enable
mac-vlan enable
undo stp enable
stp edged-port
undo lldp enable
port bridge enable
poe enable
undo dot1x handshake
dot1x handshake reply enable
dot1x mandatory-domain ciscoise
undo dot1x multicast-trigger
dot1x unicast-trigger
dot1x re-authenticate server-unreachable keep-online
mac-authentication domain ciscoise
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication host-mode multi-vlan
mac-authentication parallel-with-dot1x
port-security port-mode userlogin-secure-or-mac-ext

 

Following snap showing endpoint compliant, but no port-bounce:

not so compliant.jpg

Any pointers or assistance much appreciated.

 

Thank you!

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dgaikwad
Level 5
Level 5
In response to dgaikwad

‎08-10-2018 12:08 AM

It turned out that, the issue was the policy was itself.

Since NAM is being used to perform EAP chaining, the user and machine authentication was happening, but the policy was disabled during some troubleshooting session.

Causing all the endpoints to go the MAB and failed as they were not IP phones (as configured on the authorization policy).

 

Rectified the issue and since then were able to run authentication and posture just fine on the HP switch.

 

Thanks for all the pointers, I think they can be very well used while troubleshooting posture issues.

This case is deemed closed now!

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-25-2018 09:54 PM

Hi

We see the coa sent by ise.
I've done very few deployment of ise with HP network devices.
You can try with the nad profile HP_Wired_SNMP_CoA which will use snmp oid to bounce the port.

If still not working, you have no choice to call HP to ask what command or snmp oid or dictionary needs to be configured to get a port bounce.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
dgaikwad
Level 5
Level 5
In response to Francesco Molino

‎07-26-2018 03:28 AM

Yes, we had tried this with SNMP CoA as well, but there was no success. Now we are trying to use the port bounce profile and a weird thing happened.

When I unchecked the port-bounce from the network device profile, the endpoint became compliant and got full access.

So just to check again, I rebooted the computer, and since then, its stuck in a loop, wherein NAM keeps asking for credentials and endpoint goes back to MAB and gets a deny access...

Has anyone faced such an issue.

 

For further troubleshooting of this issue, I will try andanget a HP engineer involved and see what I can do.

 

Thank you

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to dgaikwad

‎07-26-2018 11:29 AM

Have you tried removing the posture xml file from anyconnect folder and test it using a fresh config?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
dgaikwad
Level 5
Level 5
In response to Francesco Molino

‎07-27-2018 12:21 AM

I haven't thought of removing posture.xml and testing it. Will try this out and post results.

Just as a note, what does the posture.xml store?

Does it store the details about the last PSN contacted for performing posture and updates?

 

Thank you,

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to dgaikwad

‎07-27-2018 07:36 PM

Yes the xml has information of PSN where the laptop connects to to get their check/update.

Have you also installed DART on the client to get logs on what's happening on the device.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
dgaikwad
Level 5
Level 5
In response to Francesco Molino

‎07-29-2018 11:40 PM

I need to check that, since the machine is on the other end of the planet.

Will have that checked and post it.

 

Thank you,

0 Helpful

Go to solution
dgaikwad
Level 5
Level 5
In response to dgaikwad

‎08-10-2018 12:08 AM

It turned out that, the issue was the policy was itself.

Since NAM is being used to perform EAP chaining, the user and machine authentication was happening, but the policy was disabled during some troubleshooting session.

Causing all the endpoints to go the MAB and failed as they were not IP phones (as configured on the authorization policy).

 

Rectified the issue and since then were able to run authentication and posture just fine on the HP switch.

 

Thanks for all the pointers, I think they can be very well used while troubleshooting posture issues.

This case is deemed closed now!

0 Helpful
Customers Also Viewed These Support Documents