Security

Reply
Anonymous
N/A

RADIUS CoA problem

I configured ClearPass for wireless authentication. Authentication for wireless 802.1x via MS-PEAP and captive portal is working without problems. I am using AeroHive access-points for the wireless networks.

 

ClearPass is configured with 2 NIC’s. One in the production environment and one in an internet-only segment. Clients connect to the AeroHive SSID and get a captive portal. I receive the RADIUS request in ClearPass and authentication works fine. I see the AeroHive IP address as NAS IP Address in the RADIUS request. The only thing that isn’t working is a CoA request. I would like to disconnect an active session. Within the guest portal I go to Guest – Active Session. I choose a guest user and click “Disconnect”. I receive the following error message (also attachment active-guest-error).

 

Error disconnecting session for user testuser. Please check ClearPass Policy Manager -> Access Tracker for more details.

 

When I check the Access Tracker, I don’t get any new logging information about the failure. I can also change the status from the Access Tracker by clicking Change Status. This doesn't work either, because I receive the following message (also attachment access-tracker-error).

 

No advertised access control capabilities for this MAC Address

 

I added every single AeroHive AP as Network Device and enabled RADIUS CoA (attachment aerohive). RADIUS authentication is working like a charm. Accounting is also working fine, because I can see the bandwidth consumption from the client.

MVP

Re: RADIUS CoA problem

 

Can you confirm in CCPM that you've set Aerohive as the Vendor in the device setup and checked the Enable Radius CoA? I see from your screenshot that it's set on the Aerohive AP.

 

Also - can you verify that UDP traffic on port 3799 is open both ways between the CPPM and Aerohive AP?

 

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Anonymous
N/A

Re: RADIUS CoA problem

John,

 

The configuration of the Network Device in CPPM is in the attachment. I checked that AeroHive is the vendor and Radius CoA is enabled.

 

The CPPM (Management Port) and AeroHive AP's are part of the same VLAN, so there is no firewall in between. I am also in that subnet. I ran an nmap against both (CPPM and one AeroHive AP) and port UDP/3799 seems to be open.

 

PORT STATE SERVICE
3799/udp open|filtered unknown

Re: RADIUS CoA problem

Make sure you have enabled the  RFC 3576 Server on the Aerohive side of things, this would allow you to do CoA

 

CoA - Aerohive.png 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Anonymous
N/A

Re: RADIUS CoA problem

Hi vfabian,

 

That's the first thing I checked in AeroHive. It is the only option to enable and configure RADIUS CoA in AeroHive.

Anonymous
N/A

Re: RADIUS CoA problem

I am a little bit further with the problem. I changed the vendor type on the Network Device from AeroHive to Aruba. Now I can disconnect WPA2 Enterprise from the Access Tracker and the CPPM Guest Active Sessions console.

 

The only problem left is that I cannot disconnect Guest users (self-registration) from the CPPM Guest Active Sessions console. It looks like accounting isn't working. The MAC address isn't populated in the active session table, like shown in the attachment. I am also missing the Accounting tab in the Access Tracker properties of a user.

Re: RADIUS CoA problem

not sure but i have seen guest complain about policy manager not being configured for radius accounting, might be your issue?

 

else open a TAC case and do please report back the result.

Anonymous
N/A

Re: RADIUS CoA problem

TAC support told that Radius CoA for AeroHive isn't supported in the current ClearPass version. I created a feature request to support AeroHive.

Frequent Contributor II

Re: RADIUS CoA problem

i've the same issue with Chillispot.

 

Take attention before upgrade from amigopod to clarpass as me because you will loose some features

(for example external radius proxy)

Andrea Consadori
ACMP 5.0 and 6.3


-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: RADIUS CoA problem


andrea.consadori wrote:

i've the same issue with Chillispot.

 

Take attention before upgrade from amigopod to clarpass as me because you will loose some features

(for example external radius proxy)


Andrea,

 

ClearPass does have external Radius Proxy..  Which version did you NOT see it in?

proxy.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: