Security

 

Hi,

 

I am confiuring CPPM and for 802.1x SSID I have to allow only one session per user at a time. For that I am using post-auth-check no. of active-sessions based on that I want to send Disconnect session. On access tracker I am seeing under Radius CoA tab as Disconnect , Terminate Session CoA failed for device aa:bb:cc:11:22:33

 

CoA is enable on WLC , Insight enabled , I am able to Vlan derivation, acl for users etc. type of authorization

 

Anything I am missing 

If you do a manual CoA through access tracker, does it successfully disconnect?

oops.. I missed that ...havent checked it.. Is it  the change status button ?

any idea what command on cisco wlc will let me know if its receiving the attributes sent by CPPM

Yes, try the Change Status button and choose Cisco - Terminate Session.

 

To debug RADIUS on the Cisco controller, use the debug aaa events enable command. 

Yep tried with Change Status Tab it shows same thing - failed CoA for this <mac address> device..

 

 

have you tried the debug aaa events enable as cappalli suggested to see what the controller says? is CoA enabled on the controller and on the ClearPass network item for the controller?

Often the cause for CoA issues

- Rfc3576 not enabled on the WLC. Newer IOS version come default with the new RFC5176 which Aruba doesnt support. You can still force the Cisco wlc to use rfc3576 tho.
- Udp 3799 FROM Clearpass to WLC is not allowed in firewall/access lists. Often it's opened the wrong way.
- Wlc is configured with the wrong Radius Client IP. Verify this on the access tracker - Input. Check that nas-ip-address is the same as connection:nad-ip-address found under Computed Attributes.

 

Hi,

 

-RFC 3576 enabled

-no Firewall, UDP 3799 is not blocked 

-NAS and NAD ip details are correct.

 

Do we need to add any specific attribute from Radius Dictionaries for Radius :Terminate Session. As I am not able to see the same in Dictionaries under Cisco attributes. 

(Similar way we have added Airespace-ACL-..  attribute to enable ACL enforcement )

 

- Harshad.

Please open a TAC case in parallel.

You shouldn't need to enable any other attributes. ClearPass has the Cisco
CoA logic prepopulated.

Hey..

 

Was this issue resolved? i am getting the same problem, tryied and checked everything doesnt seem to work at any cost :-(

Note that in multi-controller environment often the Radius Client NAS ip address might have been set to be the VRRP address. Make sure this is set to the various controller ip's. In this scenario authentication will work even if you haven't added the VRRP address as radius client so it's a little confusing.

 

This is often the case in Aruba environs, but I'm guessing the same might apply to Cisco