Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Radius_COA with ClearPass and Aruba Controller

This thread has been viewed 8 times

  • 1.  Radius_COA with ClearPass and Aruba Controller

    Posted Feb 16, 2015 11:20 AM

    ClearPass 6.4.4

    ArubaOS 6.4.2.3

     

    Issue:  ClearPass Access Tracker > Change Status > RADIUS COA > [Aruba Terminate Session]  ClearPass gives a successful Radius terminate session message, but the Client/Controller does not respond.

     

    I have 2 services running on ClearPass to enable 802.1x with Aruba controller, with health checks.  On service for 802.1x with an enforcement policy to include a posture rule/condition.  I also have the webauth service for OnGuard.

    Initial sign-on and authentication to the network works beautifully.  

    I have the OnGuard set to check if the client has a firewall enabled.  If it fails the health check, it assigns a role to only access a webpage that the OnGuard can be downloaded or use the dissolvable app.  Once the heath is checked, and a healthy client is verified, a second authorization is forced, and CleaPass correctly assigns a new role for full access.

     

    Now I want make sure OnGurad can detect changes, auto remediate, etc.

    I'm also just checking the functionality of Radius COA.

    (Auto-remediate isn't working either, but I'm thinking the issue with a manual terminate is what I need to fix to help out with that issue.)

     

    When forcing a terminate session via the access tracker/change status, I get a successful message but no behaviour is seen from the the client or Controller.

     

    This is my first attempt to validate this for a POC, so I appreciate any help or obvious thing I'm overlooking.

     

    I've tried opening up the Aruba firewall rules to allow-all on every role, just to make sure nothing is blocking or misconfigured.  I have also tried disabling the firewall on my client and sending the terminate session.  All behavior is the same as above.

     

    Thanks,

    Colin King 

     



  • 2.  RE: Radius_COA with ClearPass and Aruba Controller

    Posted Feb 16, 2015 12:45 PM

    Based on what you are describing , It looks like the CoA (Aruba Terminate Session) is working as expected is able to apply a CoA based on the posture (Health Service/Enforcement Policy) and then device reauth again and gets the right access based on the posture (802.1X Authentication Service /Enfocerment Policy) .

     

    If you are trying to test when a device healthy and then becomes unhealthy because the user disabled the firewall functionality , it takes up 1 minute for the Onguard agent to detect this:

    https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/OnGuard-Check-Interval 

     

    Also make sure you allow ports 6658 TCP/443 on the role that user is attached  so that the onguard agent can communicate properly with the ClearPass



  • 3.  RE: Radius_COA with ClearPass and Aruba Controller

    Posted Feb 16, 2015 01:23 PM

    Victor,

     

    One of the reasons I'm trying the manual Change Status to terminate the session is that I was not seeing anything happen after waiting for a minute for the OnGuard to detect a status change. 

     

    If I use Change Status to manually terminate the session, shouldn't I immediately see the client disconnect and try to re-authenticate?

     

    2nd point is that I temporarily placed allow-all (any,any,any permit) rules into all of my policies just to make sure the Aruba firewall, and my config was not the culprit.  I haven't done anything with the Win7 client I'm using.  However, if I have the firewall disabled, and manually terminate the session, I should not have an issue correct?

     

    (This isn't  a production deployemnt.  Just a test setup) 

     

    Thank you for the reply,

    Colin

     

     

     

     

     



  • 4.  RE: Radius_COA with ClearPass and Aruba Controller

    Posted Feb 16, 2015 01:39 PM

    That's correct , once you initiate a CoA you should see in access tracker the device performing a reauth on the 802.1X.

     

    However, if I have the firewall disabled, and manually terminate the session, I should not have an issue correct?

    This shouldn't be an issue .

     

    Validate the following:

    - If there's a firewall in between , make sure to allow 3799

    - What do you have defined as your radius nas ip address on your controller ? run the following "show ip radius nas-ip" make sure is the controller IP and that it exist in the list of network devices in ClearPass

    - Make sure that RFC-3576 has been added to the AAA profile in the controller and that the shared key matches with the radius key defined in ClearPass

    - In ClearPass make sure you enabled CoA for the network device



  • 5.  RE: Radius_COA with ClearPass and Aruba Controller

    Posted Feb 24, 2015 06:17 PM

    Victor,

     

    All configurations were good with the items listed in your "Validate the following"

     

    I think everything is working correctly. I had assumed that I would see some sort disconnection or reaction from the client when using the change status > Radius COA > terminate

    I enabled logging debug dot1x and saw that the authentication was indeed happening again after manually terminating.  My only hiccup was that I was trying to enable logging to the console, but was unable to do that.  I found it through the GUI, so all is good now.

     

    Thanks for the help,

    Colin