I want to use Radius CoA between a controler and Clearpass for disconnect user session with a "Terminate Aruba Session" but it doesn't work.
I have this messge in "acccess tracker"
In the controler,
in the RFC Statistics, all the time the "Disconnect Rej" increment !!!
in the log of aaa about RFC, i have the message :
Dec 30 10:36:28 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:1188] Invalid parameters, setting nas_port_type to wirelessDec 30 10:36:29 :121031: <DBUG> |authmgr| |aaa| [rc_sequence.c:115] seq_num_timeout_handler: Freed 0 entries
Do you have an idea ?
My configuration :
CPPM: RADIUS CoA is enabled and using port 3799.
Controller: RFC3746 server defined in AAA profile. Key matches key specific in device details above.
Please make sure that the nas-ip-address parameter configured on the controller for clearpass matches the ip address defined in ClearPass
Thanks for your answer :
i have check it
On my controler :
On my CPPM
Not in the RFC 3576 definition. Check in the Radius Server definition on the controller.
I think it's good
It's strange because in my Access Tracker -> Accounting -> Networ Detail, i have the good NAS-Port-Type
in debug aaa you can see, 2 msg about the NAS port Type
i don't see the COA server connected to your AAA profile, is it there?
your not doing anything special with your network, i.e. NATing, firewall in between, ...?
thanks for your reply, for me it's already connected to my aaa profile, see below ( RFC 3576 server 10.1.8.7).
The CPPM and Clearpass are in the same VLAN, network, IP range, there are nothing between each.
and you can't do an CoA on any session? you have check with a recent session you just logged in with?
only thing i would try then is to reset all shared secrets, so on controller (RFC... and radius server) and on clearpass with an easy one. just to rule out any copy paste / fat finger errors.
after that i would contact TAC (and go through all of the above again first :) ).
thanks for your reply
I just changed all the passwords, test with another enforcement policy and profile, with another controler, with another service etc ...., i think i have tested all that i could :)
Yesterday i have opened a case, i'm in waiting to reply from them.
Thanks for your help, Happy Holidays
For your information, my AP is in RAP Mode and the VAP is in Bridge mode
I just configure my VAP in tunnel mode and the CoA works good now !
My question : is there a prerequisite of works for CoA in bridge mode ?
thanks for reporting back about your finding. sounds like a possible reason for it not working. tried to find a source saying this is indeed the issue, but can't find one. hopefully your ticket with TAC will give a definite answer. be sure to relay that.
I confirm, with one CAP on the VAP in tunnel mode,it's works well, but when i configure the VAP in bridge mode, i have the message "Session-Context-Not-Found"
what is TAC saying about this, is there no way to pull this off with a bridged SSID?
yes, they answered me ... "CoA will not be supported in the bridge mode", it's a big problem for my project ...
Thanks you for your help
What version of ArubaOS are you using?
Are you sending radius accounting information to clearpass?
The Version 188.8.131.52 is install on controller.
Yes, i send the radius accounting information from the controller to clearpass.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.