Security

Reply
Frequent Contributor II

Raidus CoA not working

I'm working though some training labs from a Clearpass class I took last year. I setup a captive portal guest between my controller and CPPM everything works great, but I can't get the CoA to work. When I open the access tracker and change status it won't terminate the user. When I go look at the logs on the controller which I setup debug process Authmgr I get this May 27 10:29:38 :121006:  <3810> <WARN> |authmgr| |aaa| RADIUS (RFC 3576): Ignoring request from unknown client 10.20.20.200. I have verifed the RFC 3576 server shared key is correct matches my radius server configuration. Is there another setting on the controller that I need to set I can't find it anything.

Other then the CoA everything else with reagard to radius works fine I have already done some 802.1x labs no issues.

 

mkk
Contributor II

Re: Raidus CoA not working

Some questions:

  • What is your Clearpass version 6.7.x or 6.6.x ?
  • What is your 3810 switch firmware ?

CPPM > Configuration > Network > Devices

Be sure you use the correct Vendor Name in your NAD configuration.

I make the mistake before that the Vendor Name isnt Aruba but HP Enterprise.

 

On your switch configuration be sure that you configured this:

radius-server host "ip-clearpass" dyn-authorization

Iam not 100% sure but i think it was firmware release 16.04 is needed to do this.

Frequent Contributor II

Re: Raidus CoA not working

CPPM version 6.6  Aruba 7005 wireless controller is the NAD. Test device is a ipad & win 7. Connecting using service guest local guest user account. Also tested it with 802.1x local user account both connect fine but when I try to change the CoA change status It says NAD does not respond. The controller log I posted above says it doesn't seem to reconize the server eventhough it authenticated with it.

Guru Elite

Re: Raidus CoA not working

Do you have a RFC 3576 profile added to the proper AAA profile?

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
mkk
Contributor II

Re: Raidus CoA not working

Can you upload some screenshots of your AAA profile and Server Group?

mkk
Contributor II

Re: Raidus CoA not working

Does this help you?

 

Schermafbeelding 2018-05-27 om 22.41.17.pngSchermafbeelding 2018-05-27 om 22.41.24.png

Frequent Contributor II

Re: Raidus CoA not working

Here is some of the controller config  Thanks for the pictures I usualy use CLI as you can see the key is the same.

 

ap-group "New-Group"
   virtual-ap "secure"
   virtual-ap "guest"
   enet2-port-profile "NoAuthWiredPort"
   enet3-port-profile "NoAuthWiredPort"
   enet4-port-profile "NoAuthWiredPort"
   ap-system-profile "apsys_prof-uwk73"


wlan virtual-ap "guest"
   aaa-profile "Captive_Portal-aaa_prof"
   ssid-profile "Captive_Portal-ssid_prof"
   vlan 1

aaa profile "Captive_Portal-aaa_prof"
   initial-role "Captive_Portal-cp_prof"
   mac-server-group "cppm"
   radius-accounting "cppm"
   rfc-3576-server "10.10.10.200"

aaa server-group "cppm"
 auth-server CPPM

aaa authentication-server radius "CPPM"
   host "10.20.20.200"
   key "aruba"

aaa rfc-3576-server "10.10.10.200"
   key "aruba"



Guru Elite

Re: Raidus CoA not working

Your RADIUS server and RFC 3576 server should be the same IP and secret.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: Raidus CoA not working

Good catch there 10.20.20.200 vr rfc 10.10.10.200  LOL eyes play tricks on ya thanks  Now I just have to figure out when my kids go to snapchat they get disconnected from the wireless :)

 

Capture.JPG

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: