Security

Hello. i have a comware switch which is added to clearpass and vendor name selected as HPE .

 

The endpoints are a Voip phone and a laptop . I am using profiling with Aruba terminate Session as action for COA.

Basically i was to assign different vlans to voip phone and laptop after they are profiled but COA seems to be having an issue

 

Somehow it is not working and endpoints are able to see User Authenticated role but Clearpass is showing alert as

Policy server Failed to get value for attributes=[Category]

 

 

 

On ClearPass 6.6 and below you can use Cisco as Vendor.

 

On ClearPass 6.7 and later, you can use H3C, as comware is just re-branded H3C.

 

Also, make sure you have the radius dynamic-author server configured in the switch

Thanks Fabian

CPPM version is 6.7.7 .so i changed it to H3C and coa action is H3C terminate

 

still the same message in Alerts column

Policy server Failed to get value for attributes=[Category]

 

If i manually do the shut and undo shut on comware then profiling happends

 

but ulimate goal is clearpass to send COA .

 

The switch version is 

HPE Comware Software, Version 7.1.045, Release 3111P02
Copyright (c) 2010-2015 Hewlett Packard Enterprise Development LP
HPE 5130-48G-PoE+-4SFP+ (370W) EI Switch uptime is 4 weeks, 2 days, 5 hours, 5 minutes
Last reboot reason : USER reboot

Boot image: flash:/5130ei-cmw710-boot-r3111p02.bin
Boot image version: 7.1.045, Release 3111P02
Compiled Dec 21 2015 16:00:00
System image: flash:/5130ei-cmw710-system-r3111p02.bin
System image version: 7.1.045, Release 3111P02
Compiled Dec 21 2015 16:00:00

 

and radius dynamic author command is configured

 

radius dynamic-author server
client ip 10.130.27.28 key cipher XXXXXXXX
client ip 10.130.8.45 key cipher XXXXXXXXX

Also i it try to manualy do port bounce it says below

 

Radius [H3C - Bounce Switch Port] failed for client 705a0f8c2ddc. Resources-Unavailable.

The message "Policy server Failed to get value for attributes=[Category]" in the Alerts is probably harmless. This happens if you have profiling rules that use the Endpoint database device category, but there is no profiling information available (yet) for the authenticating endpoint.

 

Did you follow to ClearPass wired enforcement solution guide? Another resource could be the presentation that is attached to this Airheads post.

Hi Herman,

Thanks for info .the problem is COA is not working .clearpass is sending port bounce or session reinitiate.

That is why I posted the links to guides that explain how to set it up. If CoA is not working, it is an issue on the switch side configuration most of the times. It may be a good point to involve Aruba TAC as there probably is one little setting wrong in your setup.