Security

Reply
Contributor I
Posts: 20
Registered: ‎04-03-2007

How do you send a COA from within a Clearpass guest mac_edit device form?

I have a TAC case open for this but it's been a bit slow to get anywhere with it. So I'm trying here.

 

We are using Clearpass to allow guests to register their own devices on our network (Airgroup). The device creation works just fine, but when someone goes to edit the access list for that device after the fact, things start to break down.

 

So as the Subject says... how do you get Clearpass Guest Mac_Edit to send a COA to the controller? We can do it manually with a Access Tracker -> Change Status or via the controller command line with a "aaa user delete mac $mac_address" but that is no real solution. We need the form to send the COA so that the changes take affect.

 

Currently without manual intervention (i.e. and Admin manaually sending the COA) the device has to stay unplugged from the controller/network for 16 minutes and 40 seconds before the changes are reflected on the controllers. Where is the setting for the device timeout? I can't find anything on the controllers that match this timing.

 

Can a COA be sent from the Clearpass Guest form?

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: How do you send a COA from within a Clearpass guest mac_edit device form?

Try adding the change_of_authorization field to your form.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 20
Registered: ‎04-03-2007

Re: How do you send a COA from within a Clearpass guest mac_edit device form?

[ Edited ]

Already in the form and does not work. A packet capture even shows that the COA is not sent. (That is the first thing we tried.)

 

Someone from TAC also tried adding a "mac_auth" to the form in hopes it would send a COA. It also does not send it.

Occasional Contributor I
Posts: 8
Registered: ‎12-21-2016

Re: How do you send a COA from within a Clearpass guest mac_edit device form?

Has anyone come up with a solution for this? Is there a way to send a CoA from the device receipt page that actually terminates the session? It seems like that wouldn't work since there is no auth in access tracker to terminate anyway - just the web auth into the guest application. A simple disconnect and reconnect does not always work as the user session on the controller stays alive and the user stays in the logon role when reconnecting. 

Ted Randall
ACMX #582
ACCP
Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: How do you send a COA from within a Clearpass guest mac_edit device form?

Two things.

 

1) Be sure your user idle timeout is set to 0 so user's will be removed immediately when they disconnect

 

2) The WEBAUTH that gets triggered in CPPM is where you should be build a basic service to trigger the CoA.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: