Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1517
Views
2
Helpful
7
Replies

ISE 2.2 Posture with HP 3500yl

Go to solution
jideji
Cisco Employee
Cisco Employee

‎08-11-2017 10:47 AM

Good Afternoon Folks, 


Please has anyone  been able to make ISE posture work on HP 3500yl. Looking at the below Third-Party NAD support link, I don't see HP 3500yl. I'm curious  if this can work  with attribute modifications. Any pointer will be greatly appreciated.


ISE Third-Party NAD Profiles and Configs

1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎08-14-2017 07:32 AM

Jacob,

The lack of that particular device in the compatibility matrix means that our QA team has not validated interoperability.  However, that does not mean it won't work.  ISE has a couple different mechanisms to support devices that lack RADIUS CoA and URL-Redirect support.  Please look into SNMP CoA and DNS / DHCP sink holing as alternatives.  Ultimately, you will need to test it in a lab environment.

Regards,

-Tim

View solution in original post

0 Helpful
7 Replies 7

Go to solution
mschmitz
Cisco Employee
Cisco Employee

‎08-11-2017 01:02 PM

I don't know what the 3500yl supports and if EasyConnect and/or other options would apply here.  Have to defer to Imran, Craig and others that deal more with 3rd party integration side of ISE

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎08-14-2017 07:32 AM

Jacob,

The lack of that particular device in the compatibility matrix means that our QA team has not validated interoperability.  However, that does not mean it won't work.  ISE has a couple different mechanisms to support devices that lack RADIUS CoA and URL-Redirect support.  Please look into SNMP CoA and DNS / DHCP sink holing as alternatives.  Ultimately, you will need to test it in a lab environment.

Regards,

-Tim

0 Helpful

Go to solution
jideji
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎08-14-2017 11:15 AM

Thanks Tim.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to jideji

‎08-14-2017 01:09 PM

That switch does support RADIUS CoA, so should not required SNMP CoA config, but it don't think it has needed URL redirect support so will require DNS/DHCP sinkhole (depending on feature).  If only need auth and redirect for Posture, then could leverage ISE 2.2 feature for Posture without URL redirection.

/Craig

Go to solution
jideji
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎08-27-2017 07:31 PM

Folks,

I’m having issue with the HP 3500yl  with posture. Posture seems to be working without redirect. However, I’m having issue with CoA either via Radius CoA or SNMP CoA. Below is what I’m trying to accomplish with ISE policies.

When client matches Posture equal to unknown send Vlan 11

When client matches Posture equal complaint   send Vlan 22

Using the above policies, when the client is unknown we see the right vlan “11” applied on the switch. However, when the client is compliant, Vlan “22” is not applied on the switch. Reviewing authentication logs details, ISE is sending the vlan 22 but the switch doesn’t seem to apply the vlan.

When using Radius CoA option, I get “NAK session context not found” I have verified CoA config is on the switch

When using SNMP CoA option, I don’t get any error and the vlan is not applied

I’m using Cisco provided HP wired profile in ISE. I understand this wasn’t tested, but the premise here is that this should work. any insight will be greatly appreciated.

0 Helpful

Go to solution
jideji
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎08-27-2017 07:31 PM

Folks,

I’m having issue with the HP 3500yl  with posture. Posture seems to be working without redirect. However, I’m having issue with CoA either via Radius CoA or SNMP CoA. Below is what I’m trying to accomplish with ISE policies.

When client matches Posture equal to unknown send Vlan 11

When client matches Posture equal complaint   send Vlan 22

Using the above policies, when the client is unknown we see the right vlan “11” applied on the switch. However, when the client is compliant, Vlan “22” is not applied on the switch. Reviewing authentication logs details, ISE is sending the vlan 22 but the switch doesn’t seem to apply the vlan.

When using Radius CoA option, I get “NAK session context not found” I have verified CoA config is on the switch

When using SNMP CoA option, I don’t get any error and the vlan is not applied

I’m using Cisco provided HP wired profile in ISE. I understand this wasn’t tested, but the premise here is that this should work. any insight will be greatly appreciated.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to jideji

‎08-28-2017 07:29 AM

May be issue with RADIUS CoA and expectations on fields which may require additional debug on switch and ISE.

Similarly, for SNMP, you could run debugs and check

https://h20566.www2.hpe.com/hpsc/doc/public/display?sp4ts.oid=50982&docLocale=en_US&docId=emr_na-c02597349

Another post related to use of HP port bounce CoA...

HP Procurve 2920 NAD Profile

For SNMP, you could also try running commands from SNMP tool to trigger the port shut down up to validate functions.  If get no response to CoA, then maybe SNMP not configured properly.

Since HP switch, would it not make sense to get HP support to verify config?

/Craig 

0 Helpful
Customers Also Viewed These Support Documents