Security

last person joined: 11 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Radius COA problem between controller and clearpass

Jump to Best Answer

Yann DorvalDec 30, 2014 07:36 AM

  • 1.  Radius COA problem between controller and clearpass

    Posted Dec 30, 2014 05:35 AM

    Hi,

     

    I want to use Radius CoA between a controler and Clearpass for disconnect user session with a "Terminate Aruba Session" but it doesn't work.

    I have this messge in "acccess tracker"

     

    Status MessageSession-Context-Not-Found

     

     

    In the controler,

     

    in the RFC Statistics,  all the time the "Disconnect Rej" increment  !!!

     

    in the log of aaa about RFC, i have the message  : 

    Dec 30 10:36:28 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:1188] Invalid parameters, setting nas_port_type to wireless
    Dec 30 10:36:29 :121031: <DBUG> |authmgr| |aaa| [rc_sequence.c:115] seq_num_timeout_handler: Freed 0 entries

     

    Do you have an idea ?

     

    My configuration : 

    CPPM: RADIUS CoA is enabled and using port 3799.

    Controller: RFC3746 server defined in AAA profile. Key matches key specific in device details above.

     

    Regards

     

    Yann

     

     

     

     



  • 2.  RE: Radius COA problem between controller and clearpass

    Posted Dec 30, 2014 06:16 AM

    Yann Dorval,

     

    Please make sure that the nas-ip-address parameter configured on the controller for clearpass matches the ip address defined in ClearPass



  • 3.  RE: Radius COA problem between controller and clearpass

    Posted Dec 30, 2014 06:30 AM

    Hi Cjoseph,

     

    Thanks for your answer : 

     

    i have check it

     

    On my controler : 

    Capture03.JPG

     

    On my CPPM

     

    Capture02.JPG

     

    regards

     

     

     




  • 4.  RE: Radius COA problem between controller and clearpass

    Posted Dec 30, 2014 06:32 AM

    Yann Dorval,

     

    Not in the RFC 3576 definition.  Check in the Radius Server definition on the controller.

     



  • 5.  RE: Radius COA problem between controller and clearpass

    Posted Dec 30, 2014 07:36 AM

    Cjoseph,

     

    I think it's good

     

    Capture04.JPG

    Capture06.JPG

     

    Regards

     

    Yann



  • 6.  RE: Radius COA problem between controller and clearpass

    Posted Dec 30, 2014 10:28 AM

    It's strange because in my Access Tracker -> Accounting -> Networ Detail, i have the good NAS-Port-Type

     

    NAS IP Address:
    10.1.8.50:0
    NAS Port Type:
    Wireless-802.11

     

    regards

     

    Yann



  • 7.  RE: Radius COA problem between controller and clearpass

    Posted Dec 30, 2014 11:08 AM

    in debug aaa you can see, 2 msg about the NAS port Type

     

    Capture14.JPG



  • 8.  RE: Radius COA problem between controller and clearpass

    Posted Dec 30, 2014 12:52 PM

    i don't see the COA server connected to your AAA profile, is it there?

     

    your not doing anything special with your network, i.e. NATing, firewall in between, ...?



  • 9.  RE: Radius COA problem between controller and clearpass

    Posted Dec 31, 2014 03:39 AM

    hi boneyard,

     

    thanks for your reply, for me it's already connected to my aaa profile, see below ( RFC 3576 server 10.1.8.7).

    The CPPM and Clearpass are in the same VLAN, network, IP range,  there are nothing between each.

     

    Capture20.JPG

     

    Regards

     

    Yann 



  • 10.  RE: Radius COA problem between controller and clearpass

    Posted Dec 31, 2014 05:45 AM

    and you can't do an CoA on any session? you have check with a recent session you just logged in with?

     

    only thing i would try then is to reset all shared secrets, so on controller (RFC... and radius server) and on clearpass with an easy one. just to rule out any copy paste / fat finger errors.

     

    after that i would contact TAC (and go through all of the above again first :) ).



  • 11.  RE: Radius COA problem between controller and clearpass

    Posted Dec 31, 2014 05:55 AM

    thanks for your reply

     

    I just changed all the passwords, test with another enforcement policy and profile, with another controler, with another service etc ...., i think i have tested all that i could :)

    Yesterday i have opened a case, i'm in waiting to reply from them.

     

    Thanks for your help, Happy Holidays

     

    Regards

     

    Yann



  • 12.  RE: Radius COA problem between controller and clearpass

    Posted Dec 31, 2014 06:47 AM

    For your information, my AP is in RAP Mode and the VAP is in Bridge mode

    I just configure my VAP in tunnel mode and  the CoA works good now !  

     

    My question : is there  a prerequisite of works for CoA in bridge mode ?

     

    regards

     

    Yann



  • 13.  RE: Radius COA problem between controller and clearpass

    Posted Jan 02, 2015 07:03 AM

    thanks for reporting back about your finding. sounds like a possible reason for it not working. tried to find a source saying this is indeed the issue, but can't find one. hopefully your ticket with TAC will give  a definite answer. be sure to relay that.



  • 14.  RE: Radius COA problem between controller and clearpass

    Posted Jan 06, 2015 09:27 AM

    I confirm, with one CAP on the VAP in tunnel mode,it's works well, but when i configure the VAP in bridge mode, i have the message "Session-Context-Not-Found"

    Capture001.JPG



  • 15.  RE: Radius COA problem between controller and clearpass

    Posted Jan 06, 2015 02:32 PM

    what is TAC saying about this, is there no way to pull this off with a bridged SSID?



  • 16.  RE: Radius COA problem between controller and clearpass
    Best Answer

    Posted Jan 07, 2015 01:02 PM

    Hi Boneyard,

     

    yes, they answered me ... "CoA will not be supported in the bridge mode", it's a big problem for my project ...

     

    coa.jpg

     

    Thanks you for your help



  • 17.  RE: Radius COA problem between controller and clearpass

    Posted Jan 02, 2015 07:36 AM

    Yann Dorval,

     

    What version of ArubaOS are you using?

     

    Are you sending radius accounting information to clearpass?

     

     



  • 18.  RE: Radius COA problem between controller and clearpass

    Posted Jan 05, 2015 04:12 AM

    Hi Cjoseph,

     

    The Version 6.4.2.2 is install on controller.

     

    Yes, i send the radius accounting information from the controller to clearpass.

     

    Regards

     

    Yann