Security

Reply
Occasional Contributor II
Posts: 31
Registered: ‎05-04-2011

Radius_COA with ClearPass and Aruba Controller

ClearPass 6.4.4

ArubaOS 6.4.2.3

 

Issue:  ClearPass Access Tracker > Change Status > RADIUS COA > [Aruba Terminate Session]  ClearPass gives a successful Radius terminate session message, but the Client/Controller does not respond.

 

I have 2 services running on ClearPass to enable 802.1x with Aruba controller, with health checks.  On service for 802.1x with an enforcement policy to include a posture rule/condition.  I also have the webauth service for OnGuard.

Initial sign-on and authentication to the network works beautifully.  

I have the OnGuard set to check if the client has a firewall enabled.  If it fails the health check, it assigns a role to only access a webpage that the OnGuard can be downloaded or use the dissolvable app.  Once the heath is checked, and a healthy client is verified, a second authorization is forced, and CleaPass correctly assigns a new role for full access.

 

Now I want make sure OnGurad can detect changes, auto remediate, etc.

I'm also just checking the functionality of Radius COA.

(Auto-remediate isn't working either, but I'm thinking the issue with a manual terminate is what I need to fix to help out with that issue.)

 

When forcing a terminate session via the access tracker/change status, I get a successful message but no behaviour is seen from the the client or Controller.

 

This is my first attempt to validate this for a POC, so I appreciate any help or obvious thing I'm overlooking.

 

I've tried opening up the Aruba firewall rules to allow-all on every role, just to make sure nothing is blocking or misconfigured.  I have also tried disabling the firewall on my client and sending the terminate session.  All behavior is the same as above.

 

Thanks,

Colin King 

 

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Radius_COA with ClearPass and Aruba Controller

[ Edited ]

Based on what you are describing , It looks like the CoA (Aruba Terminate Session) is working as expected is able to apply a CoA based on the posture (Health Service/Enforcement Policy) and then device reauth again and gets the right access based on the posture (802.1X Authentication Service /Enfocerment Policy) .

 

If you are trying to test when a device healthy and then becomes unhealthy because the user disabled the firewall functionality , it takes up 1 minute for the Onguard agent to detect this:

https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/OnGuard-Check-Interval 

 

Also make sure you allow ports 6658 TCP/443 on the role that user is attached  so that the onguard agent can communicate properly with the ClearPass

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 31
Registered: ‎05-04-2011

Re: Radius_COA with ClearPass and Aruba Controller

Victor,

 

One of the reasons I'm trying the manual Change Status to terminate the session is that I was not seeing anything happen after waiting for a minute for the OnGuard to detect a status change. 

 

If I use Change Status to manually terminate the session, shouldn't I immediately see the client disconnect and try to re-authenticate?

 

2nd point is that I temporarily placed allow-all (any,any,any permit) rules into all of my policies just to make sure the Aruba firewall, and my config was not the culprit.  I haven't done anything with the Win7 client I'm using.  However, if I have the firewall disabled, and manually terminate the session, I should not have an issue correct?

 

(This isn't  a production deployemnt.  Just a test setup) 

 

Thank you for the reply,

Colin

 

 

 

 

 

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Radius_COA with ClearPass and Aruba Controller

That's correct , once you initiate a CoA you should see in access tracker the device performing a reauth on the 802.1X.

 

However, if I have the firewall disabled, and manually terminate the session, I should not have an issue correct?

This shouldn't be an issue .

 

Validate the following:

- If there's a firewall in between , make sure to allow 3799

- What do you have defined as your radius nas ip address on your controller ? run the following "show ip radius nas-ip" make sure is the controller IP and that it exist in the list of network devices in ClearPass

- Make sure that RFC-3576 has been added to the AAA profile in the controller and that the shared key matches with the radius key defined in ClearPass

- In ClearPass make sure you enabled CoA for the network device

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 31
Registered: ‎05-04-2011

Re: Radius_COA with ClearPass and Aruba Controller

Victor,

 

All configurations were good with the items listed in your "Validate the following"

 

I think everything is working correctly. I had assumed that I would see some sort disconnection or reaction from the client when using the change status > Radius COA > terminate

I enabled logging debug dot1x and saw that the authentication was indeed happening again after manually terminating.  My only hiccup was that I was trying to enable logging to the console, but was unable to do that.  I found it through the GUI, so all is good now.

 

Thanks for the help,

Colin 

 

 

 

  

Search Airheads
Showing results for 
Search instead for 
Did you mean: