Security

Reply
Contributor I

Re: CoA after MACtrac device registering

That works. Thanks!

 

During my testing, I noticed that some times the CoA isn´t sent.

When this happens there is no Radius Response entry under the Output tab in Access Tracker for the WEBAUTH event.

If the CoA is sent, there is the Radius:IETF:Calling-Station-Id attribute with the client mac in Access Tracker.

 

I have attached the logs when it doesn´t work and when it works.

 

Time for a TAC case?

 

Thanks,

Christian

 

 

Guru Elite

Re: CoA after MACtrac device registering

The best place to look is the device's last RADIUS authentication in Access Tracker. Is there a CoA tab after Output?

 

From the logs you attached, it looks like there is no active session for that MAC address so the disconnect message isn't crafted/sent.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: CoA after MACtrac device registering

When the radius mac auth succeeds there is a CoA tab.

 

Could it be that the RADIUS Accounting message takes some time to be sent to CPPM? And without, there is no session in CPPM and no CoA sent?

 

Guru Elite

Re: CoA after MACtrac device registering

Potentially, but I've never seen that happen. Guess it's best to open a TAC case.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: CoA after MACtrac device registering

That is solved.

 

We are using MACtrac in combination with guest mac caching.

The initial MAC auth of the device that should be registered, need to be accepted by clearpass. By default it is rejected.

When it is accepted and a captive portal role is pushed, the CoA follogin the reistering of the device works then reliable.

Re: CoA after MACtrac device registering


@cappalli wrote:
So these are standard user devices with a browser (Win, Android, Mac, iOS) or headless/IoT devices like Chromecasts, printers, Apple TVs, game console, etc?

Device registration can be used for both but it's really designed for the latter.

Aftet a device registered, so you see a WEBAUTH request in ClearPass?

Should you also see a WEBAUTH when creating a Guest Account through the api with CoA set as true? I am not seeing the WEBAUTH on CPPM 6.6.x.


Bruce Osborne - Wireless Engineer
ACCP, ACMP

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks

Guru Elite

Re: CoA after MACtrac device registering

Device registration, yes. Guest account, no.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: CoA after MACtrac device registering


@cappalli wrote:
Device registration, yes. Guest account, no.

That is the purpose of the CoA flag when creating a guest account using POST then? API Explorer says:

 

2018-08-09_1425.png


Bruce Osborne - Wireless Engineer
ACCP, ACMP

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks

Guru Elite

Re: CoA after MACtrac device registering

Just an oversight. I’ll get it removed.

Dynamic Authorization would provide no value when creating a guest account.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: CoA after MACtrac device registering

If a user is self-registering, the CoA could serve to log them in much like tle login button already in the CPPM Guest self-registration process.


Bruce Osborne - Wireless Engineer
ACCP, ACMP

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: