10-15-2016 01:16 AM - edited 10-15-2016 01:22 AM
Just wanted to save some grief (hopefully) if this issue were to arise while doing an install / configuration. I spent about 6 hours on the phone today with TAC, and I was able to ascertain the solution to a very strange problem that was preventing [Aruba Terminate Session] to actually CoA to a controller, and subsequently to a user.
Long story short, the shared key that you use between the controller and clearpass for radius auth, and the key that you use between the controller and clearpass for rfc 3576 (normally the same), has a deceptive character limit (specifically on the rfc side). The client was using a keygen program to generate the key for their deployment, and it was generating a key that was 20 characters long. A test user was not getting terminated via CoA.
After doing numerous packet captures and looking at various things, we found something in the user logs for aaa that showed dropped packets and "Bad Auth". Further logs in CPPM showed that there was a "bad rfc digest", or something to that effect.
I pulled up a document about RFC and found that the maximum character length for an rfc digest is 16 characters. Our key was 4 characters too long. What a weird thing.
So after changing the key to a shorter, 6 character key, the [Aruba Terminate Session] function worked, and our CPPM logic fell into place. We were able to authenticate a user successfully.
If anyone needs any clarification on this, please let me know. I also feel that Aruba needs to limit the key length for rfc 3576 servers to something around 14 characters or so, just to be on the safe side.
EDIT: Just to be clear, Radius auth was working just fine, but the CoA function was not, even with a 20 character key.
Good luck out there, and have fun!