Security

Reply
Frequent Contributor II

Clearpass Change Status on access tracker issue?

I have 4 controllers setup 2x Master in VRRP and 2 Locals Integrated with clearpass now the issue is I can not disconnect useres using clearpass access tracker disconnect or from active session on guest it gives error I have configured all CoA setting on both clearpass and controller and all shared secrets are right but still have this issue and when I typed show aaa rfc on controller it hits on of the servers and under bad auth tab I can see hits and on pkt droped I can see hits but on disconnect it is 0 so what is causing this.

Re: Clearpass Change Status on access tracker issue?

What IP address do you have define in your CoA for ClearPass on the controller side ?

What IP address do you have defined in ClearPass for the controllers?

How's the controller sending that request using the VRRP ip or the controller IP address ?

Sent from Outlook Mobile
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: Clearpass Change Status on access tracker issue?

What IP address do you have define in your CoA for ClearPass on the controller side ? the IP address I added in RFC  3576 on Controller is the Clearpass with Shared secret

What IP address do you have defined in ClearPass for the controllers? I added the Controller in devices and Enabled CoA

How's the controller sending that request using the VRRP ip or the controller IP address ? I dont Know buu when I ran Command  show aaa RFC statistcs on local controller where user exist it show some hits nder columen named bad

Guru Elite

Re: Clearpass Change Status on access tracker issue?

Add each controller along with the VIP to ClearPass as a network device.
Be sure each ClearPass server is configured as an RFC 3576 server on the controllers.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: Clearpass Change Status on access tracker issue?

Dear Cappali that exaclty ongoing now and I'm faceing the situation and dont know why is there is any special configuration?

Frequent Contributor II

Re: Clearpass Change Status on access tracker issue?

Show aaa rfc stat command show hits come on bad auth and pkts dropped

 

CoA Issue.png

Re: Clearpass Change Status on access tracker issue?

Like tim mentioned , you need to do the following:

 

Controller:

(MASTER-CONTROLLER) #show aaa rfc-3576-server

RFC 3576 Server List
--------------------
Name References Profile Status
---- ---------- --------------
CPPM-1
CPPM-2

CPPM-VIP

 

 

 

ClearPass:

Configuration » Network » Devices

Add Controller-1 Mgmt IP

Add Controller-2 Mgmt IP

Add Controllers-VRRP-VIP

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba Employee

Re: Clearpass Change Status on access tracker issue?

Do you see any error message in the Clearpass access tracker or under the Radius CoA tab?

Re: Clearpass Change Status on access tracker issue?

Go to CPPM => Administration => Server Manager => Server Configuration

 

Select the server from which you are sending the COA and click "Collect Logs" at the bottom.

This will open a new window in which you have an option called : Capture network packets Duration of dump

 

You can leave it at 60sec. Tick only this option and start it, meanwhile go to the access tracker and send a COA to your device's MAC.

 

Now click finish and download the Logs. Within this archive you will find a packetdump.cap file and you need to open it with wireshark.

 

In wireshark enter the following filter : udp.port==3799

 

We are interested in the controller response, so you need to add a filter for source IP : ip.src==YourControllerIPAddress

 

Resulting in : udp.port==3799 && ip.src==YourControllerIPAddress

 

What response are you getting from the controller ? 

Wireshark COA.png

ACMP, ACCP, BCNE
Frequent Contributor II

Re: Clearpass Change Status on access tracker issue?

Dears I have done all of thi adding on controller all CPPMs and also the VIP of them on radius and RFC on Clearpass I jhave added all Controllers and the VRRP as well and I checked on Authentication Advanced tab on each controller I found that it is the IP exist is the VRRP IP and now the message error showed on access tracker is

Session-Context-Not-Found

 

s

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: