Security

Reply
Frequent Contributor II
Posts: 107
Registered: ‎03-18-2013

CoA Problem

Hi Guys,

i have problem with my CoA config. it supposed to be a simple setup but i cannot find where my config went wrong.

evertime i try to do CoA either manually from access tracker or automatically from my profile service, it always fail with erro from access tracker: "Radius [Aruba Terminate Session] failed for client" and when i do it manually "Failed to contact Access Control Service".

 

here are the configuration of controller and CPPM:

  • both deployed in same subnet, so firewall should not be an issue.
  • RFS3576 already setup on correct IP.
  • already get radius client ip and interface on the same address in the controller.
  • CoA enabled on server config in the clearpass.

cannot figure out where it went wrong..

 

Ricky

Ricky E. Lee
CWNA | ACMP | ACCP
Frequent Contributor II
Posts: 107
Registered: ‎03-18-2013

Re: CoA Problem

please i need help :(

really need to get this fixed asap.

Ricky E. Lee
CWNA | ACMP | ACCP
Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Re: CoA Problem

What type of service is this?  

 

In Access Tracker, does the authentication request show the correct controller IP as the NAS-IP-Address? 

 

After a failed CoA, look at the detailed logs in Access Tracker to find more info on what went wrong.

 

 

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: CoA Problem

A couple of things:
- if you are using a VIP on the ClearPass cluster make sure you add that in the list RFC server under the AAA profile
- make sure that the shared key in RFC server on the controller is correct
- on the controller check what's your NAS IP address by running this command :
show radius nas-ip , that IP address needs to be added to list of nad devices in ClearPass
- in clearPass make sure that when you the controller as a nad that you enable CoA
- if there's a firewall in between the controller and ClearPass you need to allow port 3799
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II
Posts: 107
Registered: ‎03-18-2013

Re: CoA Problem

i just remembered that the controller is a 2600 with ArubaOS 5. does anyone know if CoA is possible is OS 5?
the controller has RFS3576 though.

Hi xdrew, it's a profiler to force dhcp fingerprint to get the device categories parameter.
yes it does show the exact controller's IP. this is one of the first thing i checked because the cust use multiple controllers with lo interface.

Hi Victor,
- i am going to cluster these clearpass but for now i still run it without the cluster config.
- what part of clearpass config did the controller compare this key to? i use the same key for every radius/server shared key.
- what is nad device? is it the network devices? if it is, yes i already compared it and they already match. and also match the NAS IP in the access tracker.
- already did checked the CoA.
- the controller and clearpass deployed in the same subnet without access list in the switch.

Ricky.

 

Ricky E. Lee
CWNA | ACMP | ACCP
Frequent Contributor II
Posts: 107
Registered: ‎03-18-2013

Re: CoA Problem

i've checked the log. and there is no error, only warning and this is the one that has anything to do with CoA.

2015-02-11 19:29:50,273[RequestHandler-1-0x7f87fe9f4700 r=R000002eb-01-54db4b3e h=9745 c=R000002eb-01-54db4b3e] WARN Core.PETaskRadiusCoAEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

anyone has any idea what it means?

 

Ricky

Ricky E. Lee
CWNA | ACMP | ACCP
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: CoA Problem

Network Access Device , in this case it will be the controller 

On AOS 6.4.2.1 has a fix for CoA bug

2015-02-11 14_35_02-ArubaOS 6.4.2.4 Release Notes - Adobe Reader.png

Verify the Following:

- Under the AAA Profile you are using under that SSID make sure you have define the IP addresses of each of your ClearPass servers, the shared key is the same use for Radius:

2015-02-11 14_38_57-Authentication Profiles.png

 

- Make sure that CoA is enabled 2015-02-11 14_39_38-ClearPass Policy Manager - Aruba Networks.png

 

- The NAS-IP address should match the IP address added under the Configuration > Network > Devices

2015-02-11 14_40_13-Authentication Advanced.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II
Posts: 107
Registered: ‎03-18-2013

Re: CoA Problem

i've checked and the configuration you mentioned has matched.

the "show ip radius source interface" and "show ip radius nas ip" in the controller has return the correct ip that i input in the network device parameter in the cppm.

 

is it safe to assume that my controller 2400 running ArubaOS 5, cannot do CoA because of that bug you mentioned?

 
Ricky
Ricky E. Lee
CWNA | ACMP | ACCP
Moderator
Posts: 492
Registered: ‎11-09-2012

Re: CoA Problem

Rick,

 

I checked with Prod Mgmt here and they confirmed AOS 5.0 DID actually support CoA. 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor II
Posts: 107
Registered: ‎03-18-2013

Re: CoA Problem

we found the problem for this case.

seems like controller 2400 running aos 5.0 doest use normal port for CoA.

the port for CoA in controller was opened at 1700 not 3799.

not sure if it by default or changed by the engineer before me.

 

Ricky

Ricky E. Lee
CWNA | ACMP | ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: