Original Message:
Sent: Sep 30, 2022 02:54 PM
From: sskalny1
Subject: ClearPass and Cisco CoA Failing
I was able to get to the bottom of this one. I had to:
1) specify a vrf
2) move the server-key to its own line
aaa server radius dynamic-author
client <clearpass>
client <clearpass> vrf management
server-key <key>
port 3799
auth-type all
It would not work with the server-key specified in the client line, and also wouldn't work without the vrf (this one makes sense). Thanks for the help!
Original Message:
Sent: Sep 24, 2022 10:16 AM
From: Scott Skalny
Subject: ClearPass and Cisco CoA Failing
Thanks for the responses. The access tracker info shows the correct IP, and I am seeing in the firewall the request to the correct IP as well. As far as firmware and model, these are 9300s running
Cisco IOS XE Software, Version 17.03.05
Original Message:
Sent: Sep 23, 2022 07:05 PM
From: Ariya Parsamanesh
Subject: ClearPass and Cisco CoA Failing
Th exact same dynamic author commands works fine with my setup using CoA 3799. The switch is running version 15.0(2)
what i s the NAS IP that shows in access tracker? if it is coming from a different IP addr on the same switch, then may be you need to have "ip radius source-interface"
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
Original Message:
Sent: Sep 23, 2022 12:58 PM
From: Unknown User
Subject: ClearPass and Cisco CoA Failing
The dynamic author commands look correct but Cisco default for CoA is UDP/1700. I would remove the custom port assignment in the Dynamic-author commands and change the ClearPass side to use 1700.
Original Message:
Sent: Sep 22, 2022 03:31 PM
From: Scott Skalny
Subject: ClearPass and Cisco CoA Failing
Hi Folks,
I'm working on a new ClearPass deployment, and attempting to get CoA working. RADIUS is functioning properly, but I receive the following message when any CoA is attempted: No response from network device
As far as I can tell, I've set everything up properly. Withing my network devices, I've selected: Enable RADIUS Dynamic Authorization, and have confirmed port 3799 traffic is observed and allowed through the firewalls.
From a Cisco switch standpoint, I've configured the following (and verified that the secret is correct):
aaa server radius dynamic-author
client <ip> server-key <key>
port 3799
auth-type all
As this is my first deployment, I'm struggling to find anything that may help me to investigate this further - logs, etc. in ClearPass. As mentioned, I can see the request go from ClearPass to the switch in question through the firewalls, so something is happening... The dot1x request succeeds, and the device is allowed access to the network based on the proper Service/profile, etc.
Any troubleshooting help would be greatly appreciated!