Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎04-16-2007

Issue with CoA

Hi All,

 

I've just deployed CPPM with Guest with a bunch of IAPs and I'm having no luck getting RADIUS CoA to work.  If I go into Guest Manager and click disconnect, I get (almost immediately)

"Error disconnecting session for user bdale. Please check ClearPass Policy Manager -> Access Tracker for more details.

 

A bit of background:

- All guest authentication is working correctly (as are corporate users), so CP RADIUS<-> IAP VC works

- IAP VC has dynamic-radius-proxy and a static controller IP set

- There are no ACLs/filtering/firewalls between the CPPM and the IAP VC (or other members)

- I can confirm that all requests from the IAPs are displaying the NAS IP of the VC Address

- When I run a packet capture on the IAP VC Master filtered down to port 3799, and manually disconnect a user via Guest Manager, I see nothing in the capture dump

- I also see nothing in Access Tracker on CPPM indicating success or failure.

- IAPs have rfc3576 configured under auth-server

- CPPM has CoA delay set to "2" under Server Configuration / Service Parameters

- In CPPM Guest, the NAS Type is set to Aruba Networks (RFC 3576 Support)

 

Is there anything I've missed?

 

Cheers,

 

Ben

 

Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: Issue with CoA

1. double and tripple check the passwords. :smileyhappy:

 

2. Check the logs in cpguest to make sure there is no alerts there.  

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I
Posts: 9
Registered: ‎04-16-2007

Re: Issue with CoA

Passwords are working (Guest access works, and I can see RADIUS Accept come back in CPPM).  The error log in CPGuest shows this super vague message:

 

Client:    172.28.0.52:52567
App User:  admin
Script:    /guest/guest_sessions.php
Function:  NwaGuestManager_GuestSessions_Disconnect
Arguments: array (
  'error' => 1,
  'message' => '{"content": {"cnc_actions": [{"status_message": "Query - No supported actions", "id": 1}]}, "id": "R00002b17-01-520dc456", "name": "cnc_response"}',
)

 

Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: Issue with CoA

Are you able to disconect the users in access tracker?

 

screenshot_07 Aug. 16 01.47.gif

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: Issue with CoA

also try changing the NAS type to Aruba instead of Aruba Networks (RFC 3576)

 

screenshot_08 Aug. 16 01.52.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I
Posts: 9
Registered: ‎04-16-2007

Re: Issue with CoA

[ Edited ]

Hi Troy,

 

When I click Change Status, all the options (including CoA) are greyed out and the message:

 

No advertised access control capabilities for this MAC Address

 

is displayed across the top of the page.  

I've changed the NAS to just the Aruba Networks option as well, however I'm remote from the site now and won't be able to test the outcome until Monday.

 

Thanks for your suggestions.

 

Cheers,

 

Ben

Aruba
Posts: 113
Registered: ‎11-21-2011

Re: Issue with CoA

Check that you have an [Aruba Disconnect Session] enforcement profile setup in CPPM (this is a default profile and should be there).

 

Check that your Network Access Device is setup as type "Aruba", and that CoA is marked as enabled (this is under CPPM » Configuration » Network » Devices).

Occasional Contributor I
Posts: 9
Registered: ‎04-16-2007

Re: Issue with CoA

[ Edited ]

Hi Amigodave,

 

I have found an Aruba Disconnect Session enforcement profile, but it doesn't appear to be applied to my service.  I'm still struggling to find some good doco on how this is applied (I built my service from scratch rather than using one of the supplied templates), and what match conditions I should be looking for.

 

I assume I need to appliy an Enforcement rule to my Post-Auth Guest Service that results in the [RADIUS_CoA][Aruba Disconnect] Enforcement Profile being applied, but what attributes should I be checking for in the Conditions section? (receiving a CoA message?)

 

Any chance someone could post some screenshots of:

 

Configuration / Services / <Guest Service> / Enforcement

 

for a system that has CoA working?

 

Cheers,

 

Ben

 

Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: Issue with CoA

If you use the service templates it should build the complete service for you. 

 

Guest MAC authentication

 

screenshot_01 Aug. 18 23.02.gifscreenshot_02 Aug. 18 23.03.gif

screenshot_04 Aug. 18 23.03.gif

screenshot_05 Aug. 18 23.03.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I
Posts: 9
Registered: ‎04-16-2007

Re: Issue with CoA

Just to close this one off for anyone else who has the same issue:

 

I didn't have dynamic-radius-proxy enabled on the IAPs, and in CPPM had the network device configured as a subnet to capture all the IAPs that would be part of the cluster.

 

Once I switched on the dynamic-radius-proxy and made the network device more specific, the Change Status button now provides the CoA option.

 

Thanks all who replied.

 

Ben

Search Airheads
Showing results for 
Search instead for 
Did you mean: