last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Aruba CoA - VRRP

Jump to Best Answer
  • 1.  Aruba CoA - VRRP

    Posted Jun 01, 2020 06:36 AM



    I need help with CoA - i have read over all the previous posters and this is what i have tried.


    Two controllers using VRRP address for failover (not a cluster) in a MM environment.


    Radius servers (CPPM) for authentication.  I have added the radius servers in the correct node on MM for the two controllers and also added the dynamic authorisation servers.  I have checked the keys and added the RFC servers under the AAA profile for the SSID.

    On CPPM i have added the network devices (both) along with the VRRP address and set a profile/policy which will allow me to terminate a radius session.

    When I click on the access tracker and change status - i select Aruba - terminate session - on our firewall i can see the incoming request to port 3799 - however CPPM says Network device unavailable.

    I have tried the NAS as the controllers IP and the VRRP address as well as the Mobility Master VRRP address.  All do the same.  Have I set this up correct or am I missing something?



  • 2.  RE: Aruba CoA - VRRP

    Posted Jun 01, 2020 07:05 AM

    Look for the nas-ip in the original authentication.  That is what COA uses to send the COA back

  • 3.  RE: Aruba CoA - VRRP

    Posted Jun 01, 2020 08:01 AM

    Yip I have checked this and the NAS IP shows as the VRRP address


    I have added the VRRP to the network devices and allowed it through the firewall.


    Anything else I should try when I get this message network device unavailble?

  • 4.  RE: Aruba CoA - VRRP

    Posted Jun 01, 2020 08:26 AM

     You have a firewall between the controller and the radius server?

  • 5.  RE: Aruba CoA - VRRP

    Posted Jun 01, 2020 08:33 AM

    Yes because ClearPass is deployed in AWS but firewall have been checked at both sides and port 3799 is open (UDP)

    I have also monitored the packet and it tears down successfully on that port not sure why it is showing as device unavailable 

  • 6.  RE: Aruba CoA - VRRP

    Posted Jun 01, 2020 09:06 AM

    Did you assign add an RFC3576 profile server to the AAA profile that you are authenticating from?

  • 7.  RE: Aruba CoA - VRRP

    Posted Jun 01, 2020 09:28 AM

    Yes sure did.


    The interesting thing is this:


    For the radius servers if I set the NAS IP to the address of the VRRP of the mobility master and then I try to initiate a CoA it comes back: Switch CoA Session-Context-Not-Found 


    However if i change the radius sercvers NAS IP to the VRRP address of the controller it just comes back Network Device unavailable.  Not sure if this tells us anything or not just found it strange that it could find no session on the MM but the controller VRRP address was showing as device unavailble.


  • 8.  RE: Aruba CoA - VRRP
    Best Answer

    Posted Jun 01, 2020 10:16 AM

    Ok this is my fault completely messed up here with my radius keys.  I figured it out by going to mdconnect mode on the controller and using the command:


    show aaa rfc-3576-server statistics


    This showed me that there was a lot of Bad Auth requests so I knew it must be something to do with this.

    It is now showing as succesful however my client doesn't get disconnected from the WiFi - what should be the correct behaviour for a client machine when this terminate connection is sent?

  • 9.  RE: Aruba CoA - VRRP

    Posted Jun 01, 2020 10:22 AM

    If a client has a supplicant, it will just automatically reconnect after a COA is sent.  That is expected.

  • 10.  RE: Aruba CoA - VRRP

    Posted Jun 01, 2020 10:31 AM

    What do you mean a supplicant?

    Any idea why I would be seeing 3 succesful connection attempts now in the access tracker when the client tries to connect each time? Have I messed something up  



  • 11.  RE: Aruba CoA - VRRP

    Posted Jun 01, 2020 09:06 AM

    Not sure if this is related in the logs 


    2020-06-01 15:03:17,806[HttpModule-ThreadPool-4-0x7f155b5fa700 r=R000000c2-03-5ed4fc8f h=66] ERROR Http.HttpSession - execute: post::<easy_perform>, (error=28) Timeout was reached
    2020-06-01 15:03:17,806[HttpModule-ThreadPool-4-0x7f155b5fa700 r=R000000c2-03-5ed4fc8f h=66] ERROR BaseExtSvr.ExtSvrSession - Unable to get next handle from manager with name=CnCService