Security

Reply
Occasional Contributor II
Posts: 14
Registered: ‎05-26-2016

CoA WebAuth

Hi Everyone,

 

I have ClearPASS setup to authenticate a user against our AD (after getting a captive portal after a failed MAC AUTH attempt) and once I have done that then I want to send a CoA request back to the controller.

 

The trouble is that as far as I can see when the request comes in (as seen in the Access Tracker) then it's type is "Application" and therefore there is no "Access Device IP/Port:" listed in the request as the source is local. So when I apply a CoA Enforcement policy it never fires, and I am assuming this is becuase ClearPASS doens't know where to send it?

 

So, please coud someone help me out and confirm whether is it possible to specify a destination for a CoA Enforcement profile

 

I can see the IP address of the NAD device in the orginal request in another variables for the item -Application:WebLoginURL:portal_ip.

 

Hope this makes sense, thanks for your help

Occasional Contributor II
Posts: 14
Registered: ‎05-26-2016

Re: CoA WebAuth

Nobody!?

Guru Elite
Posts: 8,203
Registered: ‎09-08-2010

Re: CoA WebAuth

Is the MAC address available in the url redirect to the web login page? 

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 14
Registered: ‎05-26-2016

Re: CoA WebAuth

Hi Tim,

 

Yes I have the MAC Address - I have all of the info need to make the request.

But how do I speicify a destination IP for the CoA request?

 

Thanks,

 

Jaggie

Guru Elite
Posts: 8,203
Registered: ‎09-08-2010

Re: CoA WebAuth

You don't. It happens automatically based on session/authentication data. 

Are you able to manually perform a CoA via access tracker? 

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 14
Registered: ‎05-26-2016

Re: CoA WebAuth

[ Edited ]

Ah ok,

 

No, I cannot make  CoA request from the access tracker as it is greyed out.

 

Just to confirm that I definelty have CoA active on the NAD, I can make a disconnect request via the guest admin portal but not via access tracker.

 

Thanks,

 

Jaggie

Guru Elite
Posts: 20,586
Registered: ‎03-29-2007

Re: CoA WebAuth

So, what are you trying to do?

You have a user that fails mac auth, so that user gets the captive portal.  You would then want to authenticate that user, right?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎05-26-2016

Re: CoA WebAuth

Yep,

 

The user is then authenticated via the guest module against for AD.

 

If the user is authed correctly then we should send a CoA request to the NAD.

 

The trouble is that the CoA request never fires.

 

Cheers,

 

Guru Elite
Posts: 20,586
Registered: ‎03-29-2007

Re: CoA WebAuth

Wait, if the user is authenticated correctly, why would you send a COA?  The user is just authenticated and goes on his merry way.  A COA is typically sent for a user that is already authenticated that you want to change their status if they use too much bandwidth or they go over their allotted time.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎05-26-2016

Re: CoA WebAuth

Hi,

 

I might want to add this is not for an ARUBA controller but a Juniper (trapeze) WLC.

 

The AD auth happens on ClearPASS so there has to be something returned to the controller to take the user out of the walled garden and for them to continue?? unless I am missing something big!

 

I know with an ARUBA controller the Guest module makes a POST request to the controller and then the controler makes another auth request with the assign username and password and then they get their new atributes and can surf etc.

Search Airheads
Showing results for 
Search instead for 
Did you mean: