Security

Reply
Regular Contributor I

Clearpass CoA Problem

Guys there have been plenty of posts about this - I got issues where I cannot make a CoA from CPPM to a controller - just to disconnect.

 

This is for guest at present and using MAC auth.

 

I have:

 

  • Made sure my RFC 3576 Servers are defined with the correct PSKs
  • Associated my RFC 3576 Servers with the right AAA profile
  • Tried to make sure the RADIUS client (aruba MC) is calling in on the right IP Addresses (reference NAS IP addresses)
  • Checked with a AAA debug - just to make sure that my AAA server configrution is correct
  • Made sure routing is OK between devices
  • Checked the MAC addresses are correct on CPPM and controller
  • Clicked on a record under access tracker, then Radius CoA, then change status then [Aruba Terminate Session]
  • Even copied the [Aruba Terminate Session] enforcement profile and modified the copy

I cannot understand what is failing here.  If the packet contents need to contain the mac address, the radius PSK is correct (as far as I can tell as I do not know debug for this), the routing also good, surely everything is in place to relay the relvant data between the devices for it to act on this disconnect?

 

Messages:

 

"Failed to contact Access Control Service"

 

At a loss.... any help greatfully recieved... faliing that, it'll be a TAC.

 

Thanks in advance everyone.

Regular Contributor I

Re: Clearpass CoA Problem

oh yeah - no firewalls or ACLs in between either :smileyfrustrated:

Aruba

Re: Clearpass CoA Problem

Couple things

 

1. Check the application log in CPGuest side to see if there are any errors.

2. Ive seen issues if you dont have add ip in the redirect.

 

ipredirect.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.

Re: Clearpass CoA Problem

Maybe a packet-capture on the controller might shed some light on this issue:

 

Via CLI, not in configure mode:

 

packet-capture controlpath udp 3799
packet-capture destination local-filesystem

 

You can get the PCAP if you pull a logs.tar from the controller.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Regular Contributor I

Re: Clearpass CoA Problem

OK, so I did not have the "Add switch IP address in the redirection URL" - so that is ticked - I see the logic there, and I should have had that on, I have a multicontroller environment,

 

However no difference is seen. same error on CPPM "failed to connect to ACS device"

 

On the other hand I did take a pcap - useful tip there arjan thanks - and I do see the CoA packet come in  - 6 in fact and 2 reporting to be duplicates.  Presumaly "3 tries and your out" kind of attempts.  I see the right MAC address in the packet too - but is is represented in upper case with no delimeters between octects in the mac address.

 

I did see the CoA call in with a datapath session table command before, but not to this detail - it is reassuring the mac is right in the packet payload as well the source and destination.

 

Thank you both for your help - is there any way to determine - out of sheer paranoia that the psks in the rfc3576 is ok? 

 

I can't help thinking I have misssed something basic here.  I have used amigopod before but never had this problem.

Regular Contributor I

Re: Clearpass CoA Problem

sorry should say "failed to contact access control service"

Re: Clearpass CoA Problem

You can see the PSK's via the CLI:

encrypt disable

show aaa rfc-3576-server 1.1.1.1

 

 

Do you have any firewall policies active on the controller that might block outgoing traffic from the controller? Either on the physical interface or using the "firewall-cp"-feature (added in ArubaOS 6.3)


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Regular Contributor I

Re: Clearpass CoA Problem

Checked the app logs on CPGuest

 

They make reference to what looks like the same error, but represented in a php call into CPPM using the same default enforcement profile as I am using in CPPM:

 

disconnecting the session 

Client:    10.11.160.56:64790
App User:  sheridannet
Script:    /guest/guest_sessions.php
Function:  NwaGuestManager_GuestSessions_Disconnect
Arguments: array (
  'error' => 1,
  'message' => '{"content": {"cnc_actions": [{"status_message": "Radius [Aruba Terminate Session] failed for client 406f2a3738d5", "id": 1}]}, "id": "R000001fa-04-52f92f9d", "name": "cnc_response"}',
)

 

Guru Elite

Re: Clearpass CoA Problem

Do you have RADIUS CoA ticked in NAD configuration in ClearPass?

 

enable-radius-coa-nad.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Clearpass CoA Problem

Arjan - yes of course - I decrypted the psks but they do seem to be in good order and correct

 

I do not have FW policies applied - all interfaces are trusted and I did look at the - i guess- control plane FW policy

 

When I grep it for 3799 I see acl hits on a permit for udp (I truncated the output below) - not sure if relevant?

 

ldnwcmc1) #show firewall-cp internal

CP firewall policies
--------------------
IP Version  Source IP  Source Mask  Protocol  Start Port  End Port  Permit/Deny  hits  contract
----------  ---------  -----------  --------  ----------  --------  -----------  ----  --------
ipv4        any                     17        3799        3799      Permit       116
ipv6        any                     17        3799        3799      Permit       0

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: