Aruba VIA integrated CPPM Onguard agent fails to do a successful Radius CoA / [Aruba Terminate Session] to the VIA VPN

Aruba Employee
Aruba Employee

Question : We have a working VIA configuration that currently changes user roles based on the credentials that it is passed from Clearpass – all as expected.

We are currently in the process right now of integrating OnGuard into this mix in order to integrate the user's Posture status into the VIA VPN. Clearpass was not able to do a successful Radius CoA / [Aruba Terminate Session] to the VIA VPN after integration.

I know that the RFC3576 server is working as I have OnGuard working and doing posture assessments and CoAs against the wireless network on the same controller that terminates the VIA VPN.


Environment Information : This article strictly applies to CPPM 6.2 and Aruba AOS and greater.




Below is the message which we would see when trying to test COA from Access Tracker.



Cause : RADIUS CoA to change the user role of the VIA client after the health check with the AOS version


Resolution :


Only from the Aruba OS version in Early Availability), we have option to map RFC 3576 server under the
Configuration-> Authentication-> L3 Authentication-> VIA Authentication -> Select the Authentication Profile and map CPPM as RFC 3576 server.


And on the ClearPass Server, we would edit the Enforcement Profile as shown below.

Please navigate to "Configuration » Enforcement » Policies" and edit the Enforcement policy which is mapped to our Posture service


Where "Aruba VPN Healthy Role" has the below configuration.


Ideally each of the above Actions in the Policy has two conditions mapped to it.

1: Posture status
2: User Role

Version history
Revision #:
2 of 2
Last update:
‎09-07-2014 10:56 AM
Updated by:
Labels (1)

Images are not loading. Images URLs require login to

Would you please make this available on Arubapedia or as PDF?




 Hello rajo7, thank you for pointing this out--will look into this asap.


 Julia Ostrowski

Aruba Networks, Customer Advocacy

Hi rajo7, can you please refresh and verify you can see the images?  I believe I've sorted out the issue with the images.


Thank you!


 Julia Ostrowski

Aruba Networks, Customer Advocacy


Hi, images are fine now. Thank you!


I tried it but CoA is still not working, can you please give me the details of the enforcement policy used in the health check service?



CPPM 6.4 



Hi rajo7,


When you create the Enforcement profile, please select the template as "Radius Change of Authorization(CoA)".




Under the Attributes tab, Select RADIUS CoA Templeate as "Aruba-Change-VPN-User-Role" and set the Filter-Id to whatever the user role that you want to assign after the health check.


coa 4.png


Note: The above enforcement profile should be applied in the WEBAUTH service.




Search Airheads
Showing results for 
Search instead for 
Did you mean: