Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Delete users when they're stuck in a role?

This thread has been viewed 0 times

  • 1.  Delete users when they're stuck in a role?

    Posted Oct 16, 2017 10:01 AM

    When a new device connects, we put them into a needs_profiling role that only allows DHCP so they can get profiled, then send a CoA.  This works for a lot of devices, but doesn't work for many others.  Because of this we often end up with devices that get stuck in the needs_profiling role.

     

    Is there a way to detect when a device has been in a role for x minutes and then execute an action on that device?  We already have the CLI commands configured that we could trigger on these clients, I just can't work out the first part.



  • 2.  RE: Delete users when they're stuck in a role?

    EMPLOYEE
    Posted Oct 16, 2017 10:06 AM
    It should always work. Are you seeing the disconnect request being issued on the ones that are stuck?


  • 3.  RE: Delete users when they're stuck in a role?

    Posted Oct 16, 2017 10:29 AM
      |   view attached

    I just checked one that's stuck right now, and although it shows the  [Aruba Terminate Session] enforcement profile, the actual radius output doesn't show the CoA.



  • 4.  RE: Delete users when they're stuck in a role?

    EMPLOYEE
    Posted Oct 16, 2017 10:39 AM
    On the original RADIUS request, do you see a CoA tab?


  • 5.  RE: Delete users when they're stuck in a role?

    Posted Oct 16, 2017 11:44 AM

    Actually no, all of the ones currently stuck are on the same controller and none show the CoA tab.  With that said, I've seen intermittent CoA success at some of our other sites too.  I'm off to figure out why this one controller isn't taking CoA requests.



  • 6.  RE: Delete users when they're stuck in a role?
    Best Answer

    EMPLOYEE
    Posted Oct 16, 2017 11:46 AM
    That's the best place to start. Please work with TAC. Your original ask is not possible.