Security

Hi,

So i'm using a 802.1x SSID in combination with OnGuard. However, I can't seem to get the wireless users to change roles or re-run the authentication (without disconnecting (as in bouncing) them with the agent).

I've already gone through the usual stuff about this type of configuration:

• Checked RFC3576 servers and keys
• No firewall in between (same subnet)
• All NAD's are added and CoA checkbox is marked 
• Have the server derivation rules (see screenshot)
• Have a web auth service for health check only
• Have cached roles and posture results

Wired works perfectly but can work with bounce client (which is not really useful for wireless clients as they won't reconnect. I've tried CoA terminate sessions, A CoA coupled with a user-role but nothing seems to be working. Role always stays the same. 

Can someone help?

 What IP addresses do you have defined under the AAA Profile / RFC Servers?

Are you including the VIP for ClearPass ?

If you try to execute a CoA directly from Access Tracker using the change status

Both AAA profiles and RFC servers are configured for VIP, node 1 and node 2. IP addresses are the ones you see under RFC servers in one of the screenshots (FYI: same subnet as controllers).

CoA from the access tracker fails: either get a timeout or when I go to the record in access tracker, under tab Radius CoA, I see: Radius CoA failed for client mac-address. 

At first the VIP wasn't added under RFC servers. Added it because the CoA was not working. To no avail.

Seem to have found it. 

On the controller, one of the clearpass addresses had some different mac address settings as the others.