HPE Community
Switches, Hubs, and Modems
1752708 Members
5945 Online
108789 Solutions
New Discussion

Re: IDM - daily statistics cleanup policy

 
Santi Thawornwiphat
New Member

‎07-16-2007 02:15 PM

‎07-16-2007 02:15 PM

IDM - daily statistics cleanup policy

Hi,

I have implemented IDM with IAS in AD environment for MAC authentication. All works fine for each of the devices, except for some SONY NSP1 signages. These devices get authenticated alright but if they get moved from one aaa configured port to another aaa configured port they do not get authenticated unless they are rebooted. I have identified that this is because of no traffic being generated by these devices and hence the switch port loses the MAC address of it and hence cannot pass on the credentials to the IAS for authentication. I have tried heaps of scripts to generate traffic from these dumb devices but it does not help.

I have noticed that every midnight when the daily statistics clean up event is recorded in IDM events screen all of these un authenticated signages get authenticated! Does anyone know how to customise these statistics cleanup policy to make it run every hour or on demand? Please note that this is different to the sessions cleanup under IDM policy manager.

Any help would be greatly appreciated.
0 Kudos
1 REPLY 1
Matt Hobbs
Honored Contributor

‎07-16-2007 10:10 PM

‎07-16-2007 10:10 PM

Re: IDM - daily statistics cleanup policy

You can reset the statistics manually under Preferences, IDM 'reset accounting statistics'.

Do you have RADIUS accounting for network enabled on your switches? I'd recommend enabling it if you do not.

There should be a Policy in PCM that is running the statistics cleanup every day at midnight, you should be able to edit this to run it hourly.

I'm also wondering if this may help:

Syntax: [no] aaa port-access mac-based [e] < port-list > [addr-moves]
Allows client moves between the specified ports under
MAC Auth control. When enabled, the switch allows
addresses to move without requiring a re-authentication.
When disabled, the switch does not allow moves
and when one does occur, the user will be forced to reauthenticate.
At least two ports (from port(s) and to
port(s)) must be specified. Use the no form of the
command to disable MAC address moves between ports
under MAC Auth control.
(Default: disabled â no moves allowed)

Also controlled-directions may be something to look into:


Syntax: aaa port-access controlled-directions
After you enable MAC-based authentication on specified
ports, you can use the aaa port-access controlled-directions
command to configure how a port transmits traffic
before it successfully authenticates a client and enters
the authenticated state.
both (default): Incoming and outgoing traffic is blocked
on a port configured for MAC authentication before
authentication occurs.
in: Incoming traffic is blocked on a port configured for
MAC authentication before authentication occurs. Outgoing
traffic with unknown destination addresses is
flooded on unauthenticated ports configured for web
authentication.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.