Security

Reply
Frequent Contributor I
Posts: 97
Registered: ‎04-13-2009

ClearPass Guest and disabled account

Hi, 

I need to do simple configuration - when account is disabled, user should be logged of. It looks like the Controller does not generate any Accounting when CP authentication is in place. CoA messages are ignored by MC because user still is authenticated when in access tracker there is CoA message related to his session. Can anyone help or I should open ticket now? 

Regards, 

 

Marek Krauze, CWNE# 174, ACMX #295, ACDX #356
Something cool, helpful or interesting in my post - click the Kudos Star.
Helped to solve your problem - Click Accept as Solution
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: ClearPass Guest and disabled account

[ Edited ]

In the Device config do you have CoA enabled

2014-03-05 20_00_52-ClearPass Policy Manager - Aruba Networks.png

 

 

Enabled Radius accouting under the AAA and RFC 3576 for CoA

2014-03-05 20_02_22-Authentication Profiles.png2014-03-05 20_02_36-Authentication Profiles.png

 

And enable this in ClearPass Guest

2014-03-05 20_06_03-Configure Guest Manager.png

 

2014-03-05 20_06_23-Authentication.png

 

If there's a firewall in between make sure these are not blocking any of these ports or any ACLs attached to the controller interfaces

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 97
Registered: ‎04-13-2009

Re: ClearPass Guest and disabled account

Hi Victor, 

I've found misconfiguration in my AAA profile that causes lack of accounting and fixed. CPPM sends CoA but something is wrong with them. At the controller I have the following in the log: 

 

(Aruba3200) #show log user-debug 10

Mar 6 02:02:43 :522038:  <INFO> |authmgr|  username=53312948 MAC=44:d8:84:63:08:e7 IP=172.27.0.2 Authentication result=Authentication Successful method=radius-accounting server=cppm
Mar 6 02:07:45 :522038:  <INFO> |authmgr|  username=53312948 MAC=44:d8:84:63:08:e7 IP=172.27.0.2 Authentication result=Authentication Successful method=radius-accounting server=cppm
Mar 6 02:08:49 :520001:  <DBUG> |authmgr|  [rc_rfc3576.c:253] IP:172.27.0.2, Name:53312948 does not have VIA profile
Mar 6 02:08:49 :520001:  <DBUG> |authmgr|  [rc_rfc3576.c:645] IP:0.0.0.0, Name:(null) sessid=<>, sta_id=44D8846308E7, reqcode=40, rspcode=42,  nack=1, error_cause=administratively prohibited
Mar 6 02:12:47 :522038:  <INFO> |authmgr|  username=53312948 MAC=44:d8:84:63:08:e7 IP=172.27.0.2 Authentication result=Authentication Successful method=radius-accounting server=cppm

 Any idea? 

Thanks. 

Marek Krauze, CWNE# 174, ACMX #295, ACDX #356
Something cool, helpful or interesting in my post - click the Kudos Star.
Helped to solve your problem - Click Accept as Solution
Guru Elite
Posts: 8,649
Registered: ‎09-08-2010

Re: ClearPass Guest and disabled account

Take a look at Victor's screenshots. That error usually means the RFC 3675 server is not specified in the AAA profile.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 97
Registered: ‎04-13-2009

Re: ClearPass Guest and disabled account

Thanks a lot. It was the case. Now is 3 o'clock in the morning and I am little bit tired ;) 

 

Marek Krauze, CWNE# 174, ACMX #295, ACDX #356
Something cool, helpful or interesting in my post - click the Kudos Star.
Helped to solve your problem - Click Accept as Solution
Search Airheads
Showing results for 
Search instead for 
Did you mean: