Wireless Access

Reply
Frequent Contributor I

MAC OSx CoA issue

HI,

 

We faced an issue while using CoA from ClearPass with MAC OSx, in clearpass i have allowed access to all 802.1x clients that have correct ceridentials to a guest vlan with limited access to get the device fingerprinting, then CPPM auto CoA the clients after a success fingerprinting and then clients reauthenticate again and match the corret OS policies.

 

This works fine except after CoA the MAC OSx clients do not release the old IP and get new IP from the new VLANs after CoA, they retain the old IP which is not valid anymore.

 

Anyone faced the samething ? I found the same issue reported with Cisco and ISE but couldn't find an article or post from Aruba.

 

Android and IOS clients work fine with no issues.

 

Kind Regards

Re: MAC OSx CoA issue

Sorry I can't answer that, but that is really neat what you've done there.  Out of curiosity, how you doing the CoA?  Is it just a short session timeout?

 

Hope you manage to get it sorted for those MacOSx clients.

 

:smileyhappy:

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Frequent Contributor I

Re: MAC OSx CoA issue

Enabled "Profile Endpoints" under services and configured it to be triggered with any fingerprint update

 

Then under service i have created a policy on the top to match any endpoint that "fingerprint" doesn't exist and assign guest VLAN with guest logon limitation so that DHCP & HTTP will work and the profile will get updated, then CPPM does the rest of the magic :D

 

works fine it takes around 5 to 10 secs for the whole thing to work and CoA to kick in and reauthenticate the client again with the correct policy matching the OS.

 

Guru Elite

Re: MAC OSx CoA issue

Since the controller has a stateful firewall, why not just put them in the user VLAN and configure restrictions in the controller?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: MAC OSx CoA issue

Different VLANs depending on the group and OS, so there isn't a default VLAN for all :(

Re: MAC OSx CoA issue

Is this a Cisco WLC or switch ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I

Re: MAC OSx CoA issue

Aruba 7210 running 6.4.1

Re: MAC OSx CoA issue

Why dont you create a enforcement profile that sends the same VLAN the device will use again but in the role only allow them to get DHCP and deny everything else that way you don't have to keep moving them from one VLAN to another .

 

The other thing you could do is set a very short lease time for the guest VLAN the device will during the profiling process which should be very short amount of time

 

2014-08-06 09_09_57-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: MAC OSx CoA issue

What's the reason for putting them in separate vlans instead of user roles?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: MAC OSx CoA issue

Different VLANs for different users and OSs so cannot set the correct VLAN in the profiling phase since the OS is not populated until fingerprinting is done.

 

Tried the lease time set to 1 min still didn;t help

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: