coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0Received RAD_DISCONNECT_REQUESTNo audit-session-idCoA message from 10.10.201.61 is malformed or cannot be validated.coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0Received RAD_DISCONNECT_REQUESTNo audit-session-idCoA message from 10.10.201.61 is malformed or cannot be validated.coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0
I just got off the phone with Aruba technician and though this is still not working he was able to determine why I was not seeing the dynamic-auth debug. Apparently the Enforcement Policy was created using Aerohive – Terminate Session. I created an new profile using the Cisco – Terminate Session and now I am seeing these messages:
coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0
The source of CoA packet does not match tunnel-group config.
CoA message from 10.10.201.61 for session 0a0a010d0005500060675fea is inconsistent with the application configuration.
Failed to find aaa-server for CoA Request
I am running ASA version 9.14.4(2) and Clearpass version 220.127.116.11770.
Senior Network Engineer
New York, NY 10005
Cell #: 646.257.0453
"l'argent comptant règne tout autour de moi"
28lbasa01# sh version | in asaSystem image file is "disk0:/asa9-12-4-18-smp-k8.bin"
28lbasa01# sh vpn-sessiondb anyconnect | in Sess ID
Audt Sess ID : 0a0a010d0000100060676978
When we have added the ASA-FW on Cpass, we have used:Service is triggered with:Everything works fine, we can Terminate sessions, send dACL, etc.Can you share which Radius Dictionary you are using and what elements you are using to trigger the service?
Received RAD_DISCONNECT_REQUESTThe source of CoA packet does not match tunnel-group config.CoA message from 10.10.201.61 for session 0a0a010d000180006067a71a is inconsistent with the application configuration.Failed to find aaa-server for CoA Requestcoa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0Received RAD_DISCONNECT_REQUESTThe source of CoA packet does not match tunnel-group config.CoA message from 10.10.201.61 for session 0a0a010d000180006067a71a is inconsistent with the application configuration.Failed to find aaa-server for CoA RequestVPN service:Device:Enforcement Profile for WEBAUTH:Now I have tried using the all sorts of attributes including the tunnel-group name and it still cannot match the incoming CoA with the correct user tunnel. If by RADIUS Dictionary you mean which type of device I am using for the ASA, I am using Cisco and not the device type Cisco-ASA.There is one thing I need to point out. For sometime I was having issues getting the correct MAC address consistently on the Radius and webauth service as seen in access tracker. While on the phone with Cisco I found Parse Cisco-AVpair to get device mac set to default value NO.
CoA message from 10.10.201.61 for session 0a0a010d0001f00060707d74 is inconsistent with the application configuration.
Failed to find aaa-server for CoA RequestWhen I reconnected and got issues a new session-id the WEBAUTH would try to use the same one every time. I wish Aruba could have some documentation on when to use this setting but I have not found anything.The second problem seemed to be the enforcement profiles I was using. The WEBAUTH enforcement profile template being used was RADIUS Dynamic Authorization but the RADIUS Dynamic Authorization template needed to be set to IETF Generic Change of Authority. I think I had it set to Cisco-bounce and edited the Attributes manually to pass the Filter-ID. I think it is best to use the IETF CoA template and just add the necessary attributes. There must be something extra that is going on in the profile that is not being displayed, It would be helpful to be able to see which template you are using for the configured profiles. Anyway it is working now.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.