06-21-2018 07:33 AM
Hi All,
Configuring the MAB for IP phone was successful and I can get the IP phones to a right voice VLAN using the authz profile.
Now what happens is that, when I connect a computer behind the IP phone,
Authentication is successful
Goes for compliance check
Comes out of compliant
But,when I check ISE live logs, it still shows :
ConfigVersionId | 7199 |
Device CoA type | RFC 5176 |
Device CoA port | 3799 |
NetworkDeviceProfileId | 26b0501b-9e48-48c7-b8c4-99a0e791bcca |
IsThirdPartyDeviceFlow | true |
HP-Port-Bounce-Host | 12 |
AcsSessionID | 58d8f8f8-04f7-451b-bc21-3d36b63adfe2 |
CoASourceComponent | Posture |
CoAReason | posture status changed |
CoAType | Reauthentication |
Network Device Profile | HPWired_CoA_Bounce_H3C |
Software Version | Unknown |
Location | Location#All Locations |
Device Type | Device Type#All Device Types |
Device IP Address | 10.226.232.23 |
But the computer shows that its limited connectivity.
If I connect the computer directly to the switch port, computer goes to compliant state and access is granted as per the policy.
I am using the following:
ISE ver 2.3.0.298 patch 3
Switch Hp H3C Comware 7
Port config:
interface GigabitEthernet1/0/5
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 230 untagged
port hybrid pvid vlan 230
voice-vlan 260 enable
mac-vlan enable
undo stp enable
stp edged-port
undo lldp enable
port bridge enable
poe enable
undo dot1x handshake
dot1x handshake reply enable
undo dot1x multicast-trigger
dot1x unicast-trigger
dot1x re-authenticate server-unreachable keep-online
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication host-mode multi-vlan
mac-authentication parallel-with-dot1x
port-security port-mode userlogin-secure-or-mac-ext
Is there something that I am missing here?
Any ideas?
Thank you,
Dinesh
06-21-2018 09:46 AM
If bouncing the port as part of 3rd-party CoA, you could be bouncing phone connection which will cause PC to lose link.
06-21-2018 11:25 PM
In this case, the phone stays connected.
It the computer that stays in the limited connectivity, it is as if like switch recieved the bounce or re-auth for the, but since there are two domains, it does not whom to send the re-auth to?
Is that something observed before?
06-22-2018 01:22 PM
You cannot truly bounce the port and have the phone stay connected without a reconnect.
06-25-2018 12:27 AM
Is there something missing from the configuration then?
Since I can see that, the computer gets compliant, but then stays in limited connectivity.
Also, I can see that ISE shows it as compliant, but nothing happens at the computer's end...
But, if I connect the same machine directly to the switch port, all works fine, the computer gets compliant and gets full access as per the authz
07-02-2018 05:21 AM
hi,
it seems there is not session stitching post CoA.
Can you please attach the live logs page ( including the steps section)?
08-10-2018 12:13 AM
It turned out that, the issue was the policy was itself.
Since NAM is being used to perform EAP chaining, the user and machine authentication was happening, but the policy was disabled during some troubleshooting session.
Causing all the endpoints to go the MAB and failed as they were not IP phones (as configured on the authorization policy).
Rectified the issue and since then were able to run authentication and posture just fine on the HP switch.
Thanks for all the pointers, I think they can be very well used while troubleshooting posture issues.
We have requested another switch of the same model, so that we are sure about the testing that we conducted earlier.
This case is deemed closed now!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide