Security

I have a TAC case open for this but it's been a bit slow to get anywhere with it. So I'm trying here.

We are using Clearpass to allow guests to register their own devices on our network (Airgroup). The device creation works just fine, but when someone goes to edit the access list for that device after the fact, things start to break down.

So as the Subject says... how do you get Clearpass Guest Mac_Edit to send a COA to the controller? We can do it manually with a Access Tracker -> Change Status or via the controller command line with a "aaa user delete mac $mac_address" but that is no real solution. We need the form to send the COA so that the changes take affect.

Currently without manual intervention (i.e. and Admin manaually sending the COA) the device has to stay unplugged from the controller/network for 16 minutes and 40 seconds before the changes are reflected on the controllers. Where is the setting for the device timeout? I can't find anything on the controllers that match this timing.

Can a COA be sent from the Clearpass Guest form?

Try adding the change_of_authorization field to your form.

Already in the form and does not work. A packet capture even shows that the COA is not sent. (That is the first thing we tried.)

Someone from TAC also tried adding a "mac_auth" to the form in hopes it would send a COA. It also does not send it.

Has anyone come up with a solution for this? Is there a way to send a CoA from the device receipt page that actually terminates the session? It seems like that wouldn't work since there is no auth in access tracker to terminate anyway - just the web auth into the guest application. A simple disconnect and reconnect does not always work as the user session on the controller stays alive and the user stays in the logon role when reconnecting. 

Two things.

1) Be sure your user idle timeout is set to 0 so user's will be removed immediately when they disconnect

2) The WEBAUTH that gets triggered in CPPM is where you should be build a basic service to trigger the CoA.

Did someone find a solution for this? I get the below error when I try to reauthorize 

My server is running on 6.8.3 and I do have COA enforcement profile configured with the same name as the role name (in guest role mapping) but it keeps giving this error "There are no applicable Reauthorization profiles. Please create one under ClearPass Policy Manager > Configuration > Enforcement > Profiles. To automatically generate a change of authorization when a guest account's role changes, make sure that the enforcement profile's name also contains the role name."

Does it work from Access Tracker?

It works absolutely fine from access tracker. Also the disconnect option under active session on guest module works fine. But just that reauthorize is failing.  

Please work with Aruba TAC.