Wireless Access

Hello all,

We run 8.6.0.12 in a MM controller cluster with 8 individual hardware switches. We run ClearPass 6.8.9.12.  We have a guest MAC registration page for all IoT devices (guest/airgroup). For guest user we have a captive portal which has a radial button you select after reading the terms and conditions, you then wait 8 seconds and then get on the network (guest).  Both the guest scenarios put you in a pre-auth role that we have created that allows the device/customer to obtain an IP to talk to only ClearPass in order to see if you registered your device to allow you to get on the network. 

Some devices stay in the pre-auth role until we manually remove them. The issue mostly affects our IoT devices to where they stay in a pre-auth role even after the customer has registered their device by MAC, the COA doesn't properly contact the controller to now put the device in either guest or airgroup role.  We find ourselves manually clearing the device from ClearPass and the controller.  Guest users aren't affected much with this issue maybe a .05% a guest client is stuck. 

Now with that all said I know IoT devices vary on setup steps and sometimes we see the clients don't follow through with the setup properly or do not power off the device after they are finished, but a majority of our tickets are customers that followed through/powered off and the device is in pre-auth.  

Has anyone experienced something similar to this? 

thanks
Bill

------------------------------
Bill Harris
------------------------------

If these are wireless clients, switching them off may not be enough as the session has to timeout in the controller before a new authentication will happen.

One simple solution is to add an IETF:Session-Timeout of lets say 300 seconds (5 minutes), for devices in the pre-auth role. There will be a reauthentication then every 5 minutes, and it will not be stuck forever. This probably is 'good enough' to avoid most of your helpdesk tickets.

If you trigger a manual CoA, does that work?

For controller clusters and CoA there is some additional configuration with VRRP needed, check documentation and scroll to Authorization Server Interaction. First step is that you can reliably trigger CoA from Access Tracker, after that you can check if/why a change in the device registration is automatically triggering a CoA.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 17, 2021 09:55 AM
From: Bill Harris
Subject: Customers stuck in pre-auth role

Hello all,

We run 8.6.0.12 in a MM controller cluster with 8 individual hardware switches. We run ClearPass 6.8.9.12.  We have a guest MAC registration page for all IoT devices (guest/airgroup). For guest user we have a captive portal which has a radial button you select after reading the terms and conditions, you then wait 8 seconds and then get on the network (guest).  Both the guest scenarios put you in a pre-auth role that we have created that allows the device/customer to obtain an IP to talk to only ClearPass in order to see if you registered your device to allow you to get on the network. 

Some devices stay in the pre-auth role until we manually remove them. The issue mostly affects our IoT devices to where they stay in a pre-auth role even after the customer has registered their device by MAC, the COA doesn't properly contact the controller to now put the device in either guest or airgroup role.  We find ourselves manually clearing the device from ClearPass and the controller.  Guest users aren't affected much with this issue maybe a .05% a guest client is stuck. 

Now with that all said I know IoT devices vary on setup steps and sometimes we see the clients don't follow through with the setup properly or do not power off the device after they are finished, but a majority of our tickets are customers that followed through/powered off and the device is in pre-auth.  

Has anyone experienced something similar to this? 

thanks
Bill

------------------------------
Bill Harris
------------------------------

thank you Herman for getting back to me so quickly. I will look over your suggestions and the document you sent.

------------------------------
Bill Harris
------------------------------

Original Message:
Sent: Sep 17, 2021 10:59 AM
From: Herman Robers
Subject: Customers stuck in pre-auth role

If these are wireless clients, switching them off may not be enough as the session has to timeout in the controller before a new authentication will happen.

One simple solution is to add an IETF:Session-Timeout of lets say 300 seconds (5 minutes), for devices in the pre-auth role. There will be a reauthentication then every 5 minutes, and it will not be stuck forever. This probably is 'good enough' to avoid most of your helpdesk tickets.

If you trigger a manual CoA, does that work?

For controller clusters and CoA there is some additional configuration with VRRP needed, check documentation and scroll to Authorization Server Interaction. First step is that you can reliably trigger CoA from Access Tracker, after that you can check if/why a change in the device registration is automatically triggering a CoA.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 17, 2021 09:55 AM
From: Bill Harris
Subject: Customers stuck in pre-auth role

Hello all,

We run 8.6.0.12 in a MM controller cluster with 8 individual hardware switches. We run ClearPass 6.8.9.12.  We have a guest MAC registration page for all IoT devices (guest/airgroup). For guest user we have a captive portal which has a radial button you select after reading the terms and conditions, you then wait 8 seconds and then get on the network (guest).  Both the guest scenarios put you in a pre-auth role that we have created that allows the device/customer to obtain an IP to talk to only ClearPass in order to see if you registered your device to allow you to get on the network. 

Some devices stay in the pre-auth role until we manually remove them. The issue mostly affects our IoT devices to where they stay in a pre-auth role even after the customer has registered their device by MAC, the COA doesn't properly contact the controller to now put the device in either guest or airgroup role.  We find ourselves manually clearing the device from ClearPass and the controller.  Guest users aren't affected much with this issue maybe a .05% a guest client is stuck. 

Now with that all said I know IoT devices vary on setup steps and sometimes we see the clients don't follow through with the setup properly or do not power off the device after they are finished, but a majority of our tickets are customers that followed through/powered off and the device is in pre-auth.  

Has anyone experienced something similar to this? 

thanks
Bill

------------------------------
Bill Harris
------------------------------