10-11-2016 05:46 AM
I have a TAC case open for this but it's been a bit slow to get anywhere with it. So I'm trying here.
We are using Clearpass to allow guests to register their own devices on our network (Airgroup). The device creation works just fine, but when someone goes to edit the access list for that device after the fact, things start to break down.
So as the Subject says... how do you get Clearpass Guest Mac_Edit to send a COA to the controller? We can do it manually with a Access Tracker -> Change Status or via the controller command line with a "aaa user delete mac $mac_address" but that is no real solution. We need the form to send the COA so that the changes take affect.
Currently without manual intervention (i.e. and Admin manaually sending the COA) the device has to stay unplugged from the controller/network for 16 minutes and 40 seconds before the changes are reflected on the controllers. Where is the setting for the device timeout? I can't find anything on the controllers that match this timing.
Can a COA be sent from the Clearpass Guest form?
10-11-2016 05:59 AM
Try adding the change_of_authorization field to your form.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
10-11-2016 06:07 AM - edited 10-11-2016 06:07 AM
Already in the form and does not work. A packet capture even shows that the COA is not sent. (That is the first thing we tried.)
Someone from TAC also tried adding a "mac_auth" to the form in hopes it would send a COA. It also does not send it.
3 weeks ago
Has anyone come up with a solution for this? Is there a way to send a CoA from the device receipt page that actually terminates the session? It seems like that wouldn't work since there is no auth in access tracker to terminate anyway - just the web auth into the guest application. A simple disconnect and reconnect does not always work as the user session on the controller stays alive and the user stays in the logon role when reconnecting.
3 weeks ago
1) Be sure your user idle timeout is set to 0 so user's will be removed immediately when they disconnect
2) The WEBAUTH that gets triggered in CPPM is where you should be build a basic service to trigger the CoA.