Security

Reply
MVP
Posts: 1,408
Registered: ‎05-28-2008

RADIUS CoA <> Aruba Contoller - everything working..but when when i try to disconnect client

Hi Guys,

I deployed a ClearPass CPPM ,and configured everything like it should and like my client want. everything working well.

(A6000M3 6.1.3.8 +  ClearPass Policy Manager 6.0.2.46902 on CP-SW-VA platform)

 

 

BUT i have 1 issue:

 

RADIUS CoA <> Aruba Contoller - everything working..but when when i try to disconnect client i'am getting the following error:

Error disconnecting session for user testuser. Please check ClearPass Policy Manager -> Access Tracker for more details.

 


When i'am checking the Access Tracker - i can see this info:

44.PNG

 

Anyone can explain me why is it? if the CPPM can send the connect + right role change after user login to the Controller,Why when i ask him to disconnect a client i'am getting this error?

This is how my CPPM base config in front of the Aruba Controller:

55.PNG

 

 

 

66.PNG

 

 

Please advise.

 

Thanks

Me.

 

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: RADIUS CoA <> Aruba Contoller - everything working..but when when i try to disconnect clie


Did you defined under the security > authentication > servers > RFC 3576 ?

Make sure that when you enter the server IP address you also add the key
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: RADIUS CoA <> Aruba Contoller - everything working..but when when i try to disconnect clie

Make sure that the NAS IP defined on the controller is the same as what you've defined in ClearPass for that device.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 1,408
Registered: ‎05-28-2008

Re: RADIUS CoA <> Aruba Contoller - everything working..but when when i try to disconnect clie

Hi, vfabian

Hi, thecompnerd

:smileyhappy:

As i wrote before - everything working just fine except the disconnect process.

 

even due i quad triple :smileytongue: check the RFC + Radius settings on my controller | havent found anything mis-configured ...users getting the needed roles...it's just the disconnect process.

 

screenshots from my controller:

 

2.PNG

3.PNG]4.PNG

 

 


please advised...what may be the reason? how do i know if RFC is passing between the controller to the CPPM? is there any way?

 

I must solve this issue before sunday,

 

Thanks in advance.

 

Me

 

 

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: RADIUS CoA <> Aruba Contoller - everything working..but when when i try to disconnect clie

 

 

Can you confirm if the key on RFC server matches the key in the CCPM or Radius Key in the controller ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: RADIUS CoA <> Aruba Contoller - everything working..but when when i try to disconnect clie

[ Edited ]

kdisk98,

 

I mentioned verifying the NAS IP because I had the same problem months ago where RADIUS worked but CoA failed.  Although the error message I had is slightly different, I thought it may be the same issue.  See my post here: http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/CoA-Fails/m-p/60572#M1214

 

To solve my problem, I set the NAS IP under Security > Authentication > Advanced.  I did not set the NAS IP under the RADIUS server properties.  For some reason the CoA's were being sent to the master controller rather than my local controller where the client was. Very odd, but that's how I fixed my issue.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: RADIUS CoA <> Aruba Contoller - everything working..but when when i try to disconnect clie

Any chance you have multiple controllers in your environment?  If so, and they're in a master/local setup where the config is shared, than all your controllers would be using the same NAS IP since you setup it up under the RADIUS server properties, rather than a unique NAS IP.  Try removing the NAS IP from the RADIUS server properties and set the loopback or another L3 interface as the RADIUS NAS IP under Security > Authentication > Advanced on each controller.  You'll need to be sure to add each controller's NAS IP to ClearPass as well.  This way each controller sources its RADIUS requests with a unique IP, and CoA's are sent to the correct controller (where the client is).

 

Hope that's helpful.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 1,408
Registered: ‎05-28-2008

Re: RADIUS CoA <> Aruba Contoller - everything working..but when when i try to disconnect clie

  • no,it's just 1 controller.
  • and yes the RFC key is the right one.. (i enter it with view commands just to bne sure)

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: RADIUS CoA <> Aruba Contoller - everything working..but when when i try to disconnect clie

kdisc98,

 

Is there a firewall between the controller and CPPM?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,408
Registered: ‎05-28-2008

Re: RADIUS CoA <> Aruba Contoller - everything working..but when when i try to disconnect clie

Hi cjoseph ! :smileyhappy:

good morning :smileywink:

 

That's what i start to think/examine last night. yep - there is a FW (fortigate)

That's why i asked - how may i monitor the RFC traffic (ports ?? udp/tcp?)

 

Please advise.

 

Thanks in advance.

 

Me

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Search Airheads
Showing results for 
Search instead for 
Did you mean: