Security

Hi All,

I've just deployed CPPM with Guest with a bunch of IAPs and I'm having no luck getting RADIUS CoA to work.  If I go into Guest Manager and click disconnect, I get (almost immediately)

"Error disconnecting session for user bdale. Please check ClearPass Policy Manager -> Access Tracker for more details.

A bit of background:

- All guest authentication is working correctly (as are corporate users), so CP RADIUS<-> IAP VC works

- IAP VC has dynamic-radius-proxy and a static controller IP set

- There are no ACLs/filtering/firewalls between the CPPM and the IAP VC (or other members)

- I can confirm that all requests from the IAPs are displaying the NAS IP of the VC Address

- When I run a packet capture on the IAP VC Master filtered down to port 3799, and manually disconnect a user via Guest Manager, I see nothing in the capture dump

- I also see nothing in Access Tracker on CPPM indicating success or failure.

- IAPs have rfc3576 configured under auth-server

- CPPM has CoA delay set to "2" under Server Configuration / Service Parameters

- In CPPM Guest, the NAS Type is set to Aruba Networks (RFC 3576 Support)

Is there anything I've missed?

Cheers,

Ben

1. double and tripple check the passwords. :smileyhappy:

2. Check the logs in cpguest to make sure there is no alerts there.  

Passwords are working (Guest access works, and I can see RADIUS Accept come back in CPPM).  The error log in CPGuest shows this super vague message:

Client:    172.28.0.52:52567
App User:  admin
Script:    /guest/guest_sessions.php
Function:  NwaGuestManager_GuestSessions_Disconnect
Arguments: array (
  'error' => 1,
  'message' => '{"content": {"cnc_actions": [{"status_message": "Query - No supported actions", "id": 1}]}, "id": "R00002b17-01-520dc456", "name": "cnc_response"}',
)

Are you able to disconect the users in access tracker?

also try changing the NAS type to Aruba instead of Aruba Networks (RFC 3576)

Hi Troy,

When I click Change Status, all the options (including CoA) are greyed out and the message:

No advertised access control capabilities for this MAC Address

is displayed across the top of the page.  

I've changed the NAS to just the Aruba Networks option as well, however I'm remote from the site now and won't be able to test the outcome until Monday.

Thanks for your suggestions.

Cheers,

Ben

Check that you have an [Aruba Disconnect Session] enforcement profile setup in CPPM (this is a default profile and should be there).

Check that your Network Access Device is setup as type "Aruba", and that CoA is marked as enabled (this is under CPPM » Configuration » Network » Devices).

Hi Amigodave,

I have found an Aruba Disconnect Session enforcement profile, but it doesn't appear to be applied to my service.  I'm still struggling to find some good doco on how this is applied (I built my service from scratch rather than using one of the supplied templates), and what match conditions I should be looking for.

I assume I need to appliy an Enforcement rule to my Post-Auth Guest Service that results in the [RADIUS_CoA][Aruba Disconnect] Enforcement Profile being applied, but what attributes should I be checking for in the Conditions section? (receiving a CoA message?)

Any chance someone could post some screenshots of:

Configuration / Services / <Guest Service> / Enforcement

for a system that has CoA working?

Cheers,

Ben

If you use the service templates it should build the complete service for you. 

Guest MAC authentication

Just to close this one off for anyone else who has the same issue:

I didn't have dynamic-radius-proxy enabled on the IAPs, and in CPPM had the network device configured as a subnet to capture all the IAPs that would be part of the cluster.

Once I switched on the dynamic-radius-proxy and made the network device more specific, the Change Status button now provides the CoA option.

Thanks all who replied.

Ben