01-04-2017 04:25 AM
I want know how to configure CoA attributes under network device profile .
Procurve does support port-bounce and Disconnect.
I want to know how can a CoA message can be send to NAD which puts the client into a quarantine vlan by this.
Is it possible to use CoA push, if so how can I send this manually.
Solved! Go to Solution.
01-04-2017 12:05 PM
You have to create a new HP Device Profile, and also create all the HP attributes in the dictionary, the HP Port Bounce one is missing from the default profile because HP has not update the RFC since 2006.
01-04-2017 12:05 PM
You have to create a new HP Device Profile, and also create all the HP attributes in the dictionary, the HP Port Bounce one is missing from the default profile because HP has not update the RFC since 2006.
01-04-2017 06:49 PM
Thank you Jeffery for the quick reply to my post
I have already created a NAD profile for HP switch and added HP port bounce in dictionary file.
Port-bounce is working for me when i send from endpoint profiling.
I have configured IETF attributes Tunnel-pvt-ID,tunnel-type and tunnel-medium-type under CoA Push option.
Now I want to manually send this to my NAD so that it will change the vlan dynamically to a quarantine vlan for the current
authenticated client.
This is for quarantining the client so that access to any resources will be denied.
If I use port-bounce client is getting authenticated after the bounce time period.
Another option is to use port-shutdown option but HP NAD doesnt support it.
01-17-2017 11:00 AM
yes, was very surprised HP does not support something as simple a port-shutdown command like the rest of the switches in the world do.
10-23-2017 02:03 PM
Hi
You may use snmp-CoA as a workaround.
For re-auth (which, as far as I'm concerned isn't supported on procurve devices) OID 1.3.6.1.4.1.11.2.14.11.5.1.25.1.2.2.1.4 (object hpicfDot1xSMAuthReauthenticate) is working perfectly fine. Or 1.3.6.1.4.1.11.2.14.11.5.1.19.2.1.1.4 (hpicfUsrAuthPortReauthenticate) for MAB implementations.
Port-bouce using snmp, technically, isn't an issue, however when providing your ISE-nad-profile with the OIDs for port disable and then port enable, ISE will send both snmp set commands at the same time and the switch ends up doing nothing. I've tried running those snmp set commands manually with a 1 second delay for the port enable command and those tests were successful.
Obviously CoA port-shutdown using snmp isn't a problem since it's just one snmp set command and not two
10-23-2017 02:09 PM
the SNMP does not work as well as you would like it too, customer ended up replacing all HP switches with Cisco due too so many issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide