Security

Hi Guys,

I deployed a ClearPass CPPM ,and configured everything like it should and like my client want. everything working well.

(A6000M3 6.1.3.8 +  ClearPass Policy Manager 6.0.2.46902 on CP-SW-VA platform)

 

 

BUT i have 1 issue:

 

RADIUS CoA <> Aruba Contoller - everything working..but when when i try to disconnect client i'am getting the following error:

Error disconnecting session for user testuser. Please check ClearPass Policy Manager -> Access Tracker for more details.

 

When i'am checking the Access Tracker - i can see this info:

 

Anyone can explain me why is it? if the CPPM can send the connect + right role change after user login to the Controller,Why when i ask him to disconnect a client i'am getting this error?

This is how my CPPM base config in front of the Aruba Controller:

 

 

 

 

 

Please advise.

 

Thanks

Me.

 

 

Did you defined under the security > authentication > servers > RFC 3576 ?

Make sure that when you enter the server IP address you also add the key

Make sure that the NAS IP defined on the controller is the same as what you've defined in ClearPass for that device.

Hi, vfabian

Hi, thecompnerd

:smileyhappy:

As i wrote before - everything working just fine except the disconnect process.

 

even due i quad triple :smileytongue: check the RFC + Radius settings on my controller | havent found anything mis-configured ...users getting the needed roles...it's just the disconnect process.

 

screenshots from my controller:

 

]

 

 

please advised...what may be the reason? how do i know if RFC is passing between the controller to the CPPM? is there any way?

 

I must solve this issue before sunday,

 

Thanks in advance.

 

Me

 

 

 

 

 

Can you confirm if the key on RFC server matches the key in the CCPM or Radius Key in the controller ?

kdisk98,

 

I mentioned verifying the NAS IP because I had the same problem months ago where RADIUS worked but CoA failed.  Although the error message I had is slightly different, I thought it may be the same issue.  See my post here: http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/CoA-Fails/m-p/60572#M1214

 

To solve my problem, I set the NAS IP under Security > Authentication > Advanced.  I did not set the NAS IP under the RADIUS server properties.  For some reason the CoA's were being sent to the master controller rather than my local controller where the client was. Very odd, but that's how I fixed my issue.

Any chance you have multiple controllers in your environment?  If so, and they're in a master/local setup where the config is shared, than all your controllers would be using the same NAS IP since you setup it up under the RADIUS server properties, rather than a unique NAS IP.  Try removing the NAS IP from the RADIUS server properties and set the loopback or another L3 interface as the RADIUS NAS IP under Security > Authentication > Advanced on each controller.  You'll need to be sure to add each controller's NAS IP to ClearPass as well.  This way each controller sources its RADIUS requests with a unique IP, and CoA's are sent to the correct controller (where the client is).

 

Hope that's helpful.

• no,it's just 1 controller.
• and yes the RFC key is the right one.. (i enter it with view commands just to bne sure)

 

kdisc98,

 

Is there a firewall between the controller and CPPM?

 

Hi cjoseph ! :smileyhappy:

good morning :smileywink:

 

That's what i start to think/examine last night. yep - there is a FW (fortigate)

That's why i asked - how may i monitor the RFC traffic (ports ?? udp/tcp?)

 

Please advise.

 

Thanks in advance.

 

Me

UDP 3799 in both directions.

Thanks on the info (That's the info i was looking for :) )- i will check it first thing tomorrow morning at the LAB

It was FW issue - thanks! After opening the needed port (from the post above) everything working fine.

 

it's wired...this port dosent written in this doc:

Thank you.  We will get it changed...

And if you are using airgroup make sure you open that port as well. Default is 5999

thanks on the info :smileyhappy:...so its another port that aint written in the above pdf