Security

Reply
Frequent Contributor II
Posts: 104
Registered: ‎01-05-2015

OnGuard CoA / User-role not working

Hi,

 

So i'm using a 802.1x SSID in combination with OnGuard. However, I can't seem to get the wireless users to change roles or re-run the authentication (without disconnecting (as in bouncing) them with the agent).

 

I've already gone through the usual stuff about this type of configuration:

 

  • Checked RFC3576 servers and keys
  • No firewall in between (same subnet)
  • All NAD's are added and CoA checkbox is marked 
  • Have the server derivation rules (see screenshot)
  • Have a web auth service for health check only
  • Have cached roles and posture results

Wired works perfectly but can work with bounce client (which is not really useful for wireless clients as they won't reconnect. I've tried CoA terminate sessions, A CoA coupled with a user-role but nothing seems to be working. Role always stays the same. 

 

Can someone help?

MVP
Posts: 4,086
Registered: ‎07-20-2011

Re: OnGuard CoA / User-role not working

 What IP addresses do you have defined under the AAA Profile / RFC Servers?

Are you including the VIP for ClearPass ?

If you try to execute a CoA directly from Access Tracker using the change status

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II
Posts: 104
Registered: ‎01-05-2015

Re: OnGuard CoA / User-role not working

Both AAA profiles and RFC servers are configured for VIP, node 1 and node 2. IP addresses are the ones you see under RFC servers in one of the screenshots (FYI: same subnet as controllers).

 

CoA from the access tracker fails: either get a timeout or when I go to the record in access tracker, under tab Radius CoA, I see: Radius CoA failed for client mac-address. 

MVP
Posts: 4,086
Registered: ‎07-20-2011

Re: OnGuard CoA / User-role not working

try using the actual server IP instead of the VIP in the list of RFC servers.


Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II
Posts: 104
Registered: ‎01-05-2015

Re: OnGuard CoA / User-role not working

At first the VIP wasn't added under RFC servers. Added it because the CoA was not working. To no avail.

Frequent Contributor II
Posts: 104
Registered: ‎01-05-2015

Re: OnGuard CoA / User-role not working

Seem to have found it. 

 

On the controller, one of the clearpass addresses had some different mac address settings as the others.  

Search Airheads
Showing results for 
Search instead for 
Did you mean: