Security

 View Only
last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass and Cisco CoA Failing

This thread has been viewed 15 times
  • 1.  ClearPass and Cisco CoA Failing

    Posted Sep 23, 2022 10:08 AM

    Hi Folks,

    I'm working on a new ClearPass deployment, and attempting to get CoA working.  RADIUS is functioning properly, but I receive the following message when any CoA is attempted: No response from network device

    As far as I can tell, I've set everything up properly.  Withing my network devices, I've selected: Enable RADIUS Dynamic Authorization, and have confirmed port 3799 traffic is observed and allowed through the firewalls.

    From a Cisco switch standpoint, I've configured the following (and verified that the secret is correct):

    aaa server radius dynamic-author
    client <ip> server-key <key>
    port 3799
    auth-type all

    As this is my first deployment, I'm struggling to find anything that may help me to investigate this further - logs, etc. in ClearPass.  As mentioned, I can see the request go from ClearPass to the switch in question through the firewalls, so something is happening... The dot1x request succeeds, and the device is allowed access to the network based on the proper Service/profile, etc.

    Any troubleshooting help would be greatly appreciated!



  • 2.  RE: ClearPass and Cisco CoA Failing

    Posted Sep 23, 2022 12:58 PM
    The dynamic author commands look correct but Cisco default for CoA is UDP/1700.  I would remove the custom port assignment in the Dynamic-author commands and change the ClearPass side to use 1700.


  • 3.  RE: ClearPass and Cisco CoA Failing

    EMPLOYEE
    Posted Sep 23, 2022 07:05 PM
    Th exact same dynamic author commands works fine with my setup using CoA 3799. The switch is running version 15.0(2)
    what i s the NAS IP that shows in access tracker? if it is coming from a different IP addr on the same switch, then may be you need to have "ip radius source-interface"


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 4.  RE: ClearPass and Cisco CoA Failing

    Posted Sep 24, 2022 10:17 AM

    Thanks for the responses.  The access tracker info shows the correct IP, and I am seeing in the firewall the request to the correct IP as well.  As far as firmware and model, these are 9300s running

    Cisco IOS XE Software, Version 17.03.05




  • 5.  RE: ClearPass and Cisco CoA Failing

    Posted Sep 30, 2022 02:55 PM

    I was able to get to the bottom of this one.  I had to:
    1) specify a vrf
    2) move the server-key to its own line

    aaa server radius dynamic-author
    client <clearpass>
    client <clearpass> vrf management
    server-key <key>
    port 3799
    auth-type all

    It would not work with the server-key specified in the client line, and also wouldn't work without the vrf (this one makes sense).  Thanks for the help!