I need help with CoA - i have read over all the previous posters and this is what i have tried.
Two controllers using VRRP address for failover (not a cluster) in a MM environment.
Radius servers (CPPM) for authentication. I have added the radius servers in the correct node on MM for the two controllers and also added the dynamic authorisation servers. I have checked the keys and added the RFC servers under the AAA profile for the SSID.
On CPPM i have added the network devices (both) along with the VRRP address and set a profile/policy which will allow me to terminate a radius session.
When I click on the access tracker and change status - i select Aruba - terminate session - on our firewall i can see the incoming request to port 3799 - however CPPM says Network device unavailable.
I have tried the NAS as the controllers IP and the VRRP address as well as the Mobility Master VRRP address. All do the same. Have I set this up correct or am I missing something?
Look for the nas-ip in the original authentication. That is what COA uses to send the COA back
Yip I have checked this and the NAS IP shows as the VRRP address
I have added the VRRP to the network devices and allowed it through the firewall.
Anything else I should try when I get this message network device unavailble?
You have a firewall between the controller and the radius server?
Yes because ClearPass is deployed in AWS but firewall have been checked at both sides and port 3799 is open (UDP)I have also monitored the packet and it tears down successfully on that port not sure why it is showing as device unavailable
Did you assign add an RFC3576 profile server to the AAA profile that you are authenticating from?
Yes sure did.
The interesting thing is this:
For the radius servers if I set the NAS IP to the address of the VRRP of the mobility master and then I try to initiate a CoA it comes back: Switch CoA Session-Context-Not-Found
However if i change the radius sercvers NAS IP to the VRRP address of the controller it just comes back Network Device unavailable. Not sure if this tells us anything or not just found it strange that it could find no session on the MM but the controller VRRP address was showing as device unavailble.
Ok this is my fault completely messed up here with my radius keys. I figured it out by going to mdconnect mode on the controller and using the command:
show aaa rfc-3576-server statistics
This showed me that there was a lot of Bad Auth requests so I knew it must be something to do with this.
It is now showing as succesful however my client doesn't get disconnected from the WiFi - what should be the correct behaviour for a client machine when this terminate connection is sent?
If a client has a supplicant, it will just automatically reconnect after a COA is sent. That is expected.
What do you mean a supplicant?
Any idea why I would be seeing 3 succesful connection attempts now in the access tracker when the client tries to connect each time? Have I messed something up
Not sure if this is related in the logs
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.