Security

I focus a strange problem when i use  a [ArubaOS Switching - Terminate Session] enforcement profile, the radius response is vissible in accesstracker but never sends by clearpass to de NAS device. The radius response packets are not vissible in Wireshark and never sends to the NAS.

 

I Solved the problem by making a clone of the [ArubaOS Wireless - Terminate Session] template and change the attributes to be equal to the  [ArubaOS Switching - Terminate Session] template. 

 

It seems like i bug to me in Clearpass 6.7.2.105008.

The switch a 2920 with fw16.04 isnt the problem here, the problem is clearpass never sends de radius response that access tracker showns.

 

One thing i notice is that when i do a manualy COA in a accepted radius request in accesstracker only the wireless COA enforcement profiles are visible here.

 

Are other people seen the same issue here? Or do i missed something?

See also attechment with some screenshots of the issue in my test enviornment ;)

 

 

 

 

 

 

1) A terminate session is a Disconnecf Message not a CoA
2) is your switch defined as Hewlett-Packard-Enterprise in Network Devices?

Hi Tim,

 

Thanks for your explenation. Actually disconnect request use coa port 3799 UDP, so thats why i called it COA. when i look in the show radius dyn-authorization, your right, its a disconnect message.

 

My Switch is in the vendor name group "aruba", so its a aruba 2920 switch. Actually it seem go like wrong here, if i change it to HPE switches then is looks beter.  :) so there you right to ;)

 

only dont see a different in de enforcement profiles what hists that choice. 

 

 

Make sure you follow the ClearPass Solution Guide for Wired Policy Enforcement.

hi mkk,

 

   im currently using Aruba 2920 WB.16.06.0006 and CPPM 6.7.3.106.273

 

changed device settings to HPE, still CoA 3799

 

but  still i get  "Aruba OS Switching - Bounce Switch Port failed for client .." error

 Aruba 135 still on untrust VLAN but was able identified under End-Host identifier

 

im currently testing Device Profiling with VLAN enforcement

 

any suggestions? TIA :)

 

 

Be sure you have in you NAD device set the Vendor Name to Hewlett-Packard-Enterprise.

Second be sure you have dynamic authorization enabled on your switch.
radius-server host “cppm-ip” dyn-authorization

Hi mkk,

 

 thanks for your response. already did that. however error still remains. please see attached images.

 

 

thank you

Hi Harveyysip,

 

Look at the copied coa profile you create. Looks like you have the attribute "Tunnel-Private-Group-ID=1"  is in place there, the vlan has not been part of the coa profile.

 

Also be sure your switch config is ok, did you have accounting enabled in your switchconfig like this:

• radius-server host 172.16.10.3 dyn-authorization
• aaa accounting network start-stop radius

accounting is also important from 6.7.x because its managed your concurrent licensing, else licences keep up for 24hr.;)

 

your mac-auth-all service profile looks good to me.

 

see attachment some screenshots from my test enviorment.

 

Hope this help you

 

 

 

Hi Mkk,

 

I already adjusted the attribute.and enabled accounting but I still get the same error and Radius_CoA still failed. can you share to me your full CLI config?

 

 

TIA :)