08-06-2014 03:17 AM
We faced an issue while using CoA from ClearPass with MAC OSx, in clearpass i have allowed access to all 802.1x clients that have correct ceridentials to a guest vlan with limited access to get the device fingerprinting, then CPPM auto CoA the clients after a success fingerprinting and then clients reauthenticate again and match the corret OS policies.
This works fine except after CoA the MAC OSx clients do not release the old IP and get new IP from the new VLANs after CoA, they retain the old IP which is not valid anymore.
Anyone faced the samething ? I found the same issue reported with Cisco and ISE but couldn't find an article or post from Aruba.
Android and IOS clients work fine with no issues.
08-06-2014 04:02 AM
Sorry I can't answer that, but that is really neat what you've done there. Out of curiosity, how you doing the CoA? Is it just a short session timeout?
Hope you manage to get it sorted for those MacOSx clients.
If my post is helpful please give kudos, or mark as solved if it answers your post.
ACCP, ACMP, ACMX #294
08-06-2014 04:08 AM - edited 08-06-2014 04:16 AM
Enabled "Profile Endpoints" under services and configured it to be triggered with any fingerprint update
Then under service i have created a policy on the top to match any endpoint that "fingerprint" doesn't exist and assign guest VLAN with guest logon limitation so that DHCP & HTTP will work and the profile will get updated, then CPPM does the rest of the magic :D
works fine it takes around 5 to 10 secs for the whole thing to work and CoA to kick in and reauthenticate the client again with the correct policy matching the OS.
08-06-2014 05:04 AM
08-06-2014 06:08 AM - edited 08-06-2014 06:10 AM
Why dont you create a enforcement profile that sends the same VLAN the device will use again but in the role only allow them to get DHCP and deny everything else that way you don't have to keep moving them from one VLAN to another .
The other thing you could do is set a very short lease time for the guest VLAN the device will during the profiling process which should be very short amount of time
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
08-06-2014 06:16 AM
Different VLANs for different users and OSs so cannot set the correct VLAN in the profiling phase since the OS is not populated until fingerprinting is done.
Tried the lease time set to 1 min still didn;t help