Wired Intelligent Edge

 View Only
last person joined: 2 days ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Aruba CX CoA Invalid client address

This thread has been viewed 14 times
  • 1.  Aruba CX CoA Invalid client address

    Posted Jun 02, 2022 10:57 PM

    I am trying to use an Aruba CX switch (v 10.09) with ClearPass to test CoA. The switch is correctly added to ClearPass and radius authentications are working fine. for CoA, I have ClearPass defined as a dyn-authorization client with the correct key and replay-protection disabled (because the time on the switch is incorrect). 
    For some reason, CoA is not working. I am trying to manually trigger it from the access tracker and using the AOS-CX Bounce port or AOS-CX Disconnect actions. In both cases, ClearPass will show that the CoA failed for client xxxxxxxxxxxx and on the switch side, I see a high number of "Invalid Client Address in CoA Requests" and "Invalid Client Address in Disconnect Requests"

    Does anyone know what "Invalid Client Address in Disconnect Requests" means and what could be the root cause?
    Also, what is the best way to debug those messages on the switch?

    Thanks for helping out

    Othmane Douiri

  • 2.  RE: Aruba CX CoA Invalid client address

    Posted Jun 04, 2022 08:49 PM

    are you using mgmt VRF for dyn-authorization  on the CX switch?
    what is the IP address of the CX switch that is configured as NAD on ClearPass ? and what is  the IP address of "Access Device" that shows in access tracker

    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

  • 3.  RE: Aruba CX CoA Invalid client address

    Posted Jun 28, 2022 11:36 AM
    Verify if the configuration in switch is correct. To enable radius dyn authorization in switch for the clearpass server -

    radius dyn-authorization enable
    radius dyn-authorization client <IP/DNS> vrf <vrf> secret-key plaintext <key>

    Shobana Nandakumar
    Technical Marketing Engineer
    Aruba Campus Switching