Security

Reply
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Cisco WLC terminate session CoA

 

Hi,

 

I am confiuring CPPM and for 802.1x SSID I have to allow only one session per user at a time. For that I am using post-auth-check no. of active-sessions based on that I want to send Disconnect session. On access tracker I am seeing under Radius CoA tab as Disconnect , Terminate Session CoA failed for device aa:bb:cc:11:22:33

 

CoA is enable on WLC , Insight enabled , I am able to Vlan derivation, acl for users etc. type of authorization

 

Anything I am missing 

Guru Elite
Posts: 8,649
Registered: ‎09-08-2010

Re: Cisco WLC terminate session CoA

If you do a manual CoA through access tracker, does it successfully disconnect?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: Cisco WLC terminate session CoA

oops.. I missed that ...havent checked it.. Is it  the change status button ?

any idea what command on cisco wlc will let me know if its receiving the attributes sent by CPPM

Guru Elite
Posts: 8,649
Registered: ‎09-08-2010

Re: Cisco WLC terminate session CoA

Yes, try the Change Status button and choose Cisco - Terminate Session.

 

To debug RADIUS on the Cisco controller, use the debug aaa events enable command. 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 520
Registered: ‎05-11-2011

Re: Cisco WLC terminate session CoA

Note that in multi-controller environment often the Radius Client NAS ip address might have been set to be the VRRP address. Make sure this is set to the various controller ip's. In this scenario authentication will work even if you haven't added the VRRP address as radius client so it's a little confusing.

 

This is often the case in Aruba environs, but I'm guessing the same might apply to Cisco


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: Cisco WLC terminate session CoA

Yep tried with Change Status Tab it shows same thing - failed CoA for this <mac address> device..

 

 

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Cisco WLC terminate session CoA

have you tried the debug aaa events enable as cappalli suggested to see what the controller says? is CoA enabled on the controller and on the ClearPass network item for the controller?

MVP
Posts: 520
Registered: ‎05-11-2011

Re: Cisco WLC terminate session CoA

Often the cause for CoA issues

- Rfc3576 not enabled on the WLC. Newer IOS version come default with the new RFC5176 which Aruba doesnt support. You can still force the Cisco wlc to use rfc3576 tho.
- Udp 3799 FROM Clearpass to WLC is not allowed in firewall/access lists. Often it's opened the wrong way.
- Wlc is configured with the wrong Radius Client IP. Verify this on the access tracker - Input. Check that nas-ip-address is the same as connection:nad-ip-address found under Computed Attributes.

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: Cisco WLC terminate session CoA

 

Hi,

 

-RFC 3576 enabled

-no Firewall, UDP 3799 is not blocked 

-NAS and NAD ip details are correct.

 

Do we need to add any specific attribute from Radius Dictionaries for Radius :Terminate Session. As I am not able to see the same in Dictionaries under Cisco attributes. 

(Similar way we have added Airespace-ACL-..  attribute to enable ACL enforcement )

 

- Harshad.

Guru Elite
Posts: 8,649
Registered: ‎09-08-2010

Re: Cisco WLC terminate session CoA

Please open a TAC case in parallel.

You shouldn't need to enable any other attributes. ClearPass has the Cisco
CoA logic prepopulated.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: