Security

Hi,

 Been  working on. implementing a  basic posture checkin service ( cppm 6.12.x) and so far looks promising. My posture check web service  currently sends a RADIUS CoA back to the appropriate switch to ensure client has appropriate enforcement policy applied to it. Problem is at the moment I'm using a CX switch but client device could be on an os-s,cx switch or mobility controller.

I need to find a way of identfiying  the NAD type to send back the correct CoA RADIUS attributes.

Looking in. the posture service there isnt anything in there to identify NAD type. Was thinking of a post auth endpoints string attribute ( ArunaOSIs) wuth values of os-s,CX,wifi)  and then applying that  during an enforcement policy implementation. Subsequent  posture check will then use the attribute to apply correct CoA.

Unless someone can  think of a better way ?

A

-------------------------------------------

I think you can add one CoA/DynAuthZ profile per vendor/dictionary to your Web Authentication. ClearPass will then look up the active session, find the applicable Network Device, and return the CoA that's compatible with the Vendor Name/Dictionary configured there. Not fully sure what happens if you have CX and Aruba WLAN which both have Vendor Aruba... but may work as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: 12/16/2025 7:43:00 AM
From: Herman Robers
Subject: RE: Identifying switch OS type for posture CoA

I think you can add one CoA/DynAuthZ profile per vendor/dictionary to your Web Authentication. ClearPass will then look up the active session, find the applicable Network Device, and return the CoA that's compatible with the Vendor Name/Dictionary configured there. Not fully sure what happens if you have CX and Aruba WLAN which both have Vendor Aruba... but may work as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Alternatively, you can bounce the port using the agent, in which case the client would set its link to down and up.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Dec 16, 2025 09:34 AM
From: alexs-nd
Subject: Identifying switch OS type for posture CoA

This seems to be work as an enforcement but I'll have a play

A

Original Message:
Sent: 12/16/2025 7:43:00 AM
From: Herman Robers
Subject: RE: Identifying switch OS type for posture CoA

I think you can add one CoA/DynAuthZ profile per vendor/dictionary to your Web Authentication. ClearPass will then look up the active session, find the applicable Network Device, and return the CoA that's compatible with the Vendor Name/Dictionary configured there. Not fully sure what happens if you have CX and Aruba WLAN which both have Vendor Aruba... but may work as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Cool!
I’ll give that a try.
Guess need to find down for any other on guard specific attributed

Many thanks
A


Original Message:
Sent: 12/17/2025 11:24:00 AM
From: Lord
Subject: RE: Identifying switch OS type for posture CoA

Alternatively, you can bounce the port using the agent, in which case the client would set its link to down and up.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------


Original Message:
Sent: Dec 16, 2025 09:34 AM
From: alexs-nd
Subject: Identifying switch OS type for posture CoA

This seems to be work as an enforcement but I'll have a play

A