Security

Hi, 

I need to do simple configuration - when account is disabled, user should be logged of. It looks like the Controller does not generate any Accounting when CP authentication is in place. CoA messages are ignored by MC because user still is authenticated when in access tracker there is CoA message related to his session. Can anyone help or I should open ticket now? 

Regards, 

In the Device config do you have CoA enabled

Enabled Radius accouting under the AAA and RFC 3576 for CoA

And enable this in ClearPass Guest

If there's a firewall in between make sure these are not blocking any of these ports or any ACLs attached to the controller interfaces

Hi Victor, 

I've found misconfiguration in my AAA profile that causes lack of accounting and fixed. CPPM sends CoA but something is wrong with them. At the controller I have the following in the log: 

(Aruba3200) #show log user-debug 10

Mar 6 02:02:43 :522038:  <INFO> |authmgr|  username=53312948 MAC=44:d8:84:63:08:e7 IP=172.27.0.2 Authentication result=Authentication Successful method=radius-accounting server=cppm
Mar 6 02:07:45 :522038:  <INFO> |authmgr|  username=53312948 MAC=44:d8:84:63:08:e7 IP=172.27.0.2 Authentication result=Authentication Successful method=radius-accounting server=cppm
Mar 6 02:08:49 :520001:  <DBUG> |authmgr|  [rc_rfc3576.c:253] IP:172.27.0.2, Name:53312948 does not have VIA profile
Mar 6 02:08:49 :520001:  <DBUG> |authmgr|  [rc_rfc3576.c:645] IP:0.0.0.0, Name:(null) sessid=<>, sta_id=44D8846308E7, reqcode=40, rspcode=42,  nack=1, error_cause=administratively prohibited
Mar 6 02:12:47 :522038:  <INFO> |authmgr|  username=53312948 MAC=44:d8:84:63:08:e7 IP=172.27.0.2 Authentication result=Authentication Successful method=radius-accounting server=cppm

 Any idea? 

Thanks. 

Take a look at Victor's screenshots. That error usually means the RFC 3675 server is not specified in the AAA profile.

Thanks a lot. It was the case. Now is 3 o'clock in the morning and I am little bit tired ;)