Security

Hello.

I'm fairly new to Clearpass and Cisco WLC, so hopefully this is rather straight forward for you experts out there :) I've searched the discussion forum, but I havent managed to connect all the dots..

First an working example:

1. Unknown device connects to the wlan and gets redirected to the Clearpass login-page.
2. Authenticates with a valid account, Clearpass sends a CoA:The user sees the 10 sec countdown and:
3. The device reconnects and have access to the network.

Detailed log attached CoA ok.txt.

This happens very rarely, 99% of the time the Webauth occours and the CoA is not sent. Then it looks like this:

1. Unknown device connects to the wlan and gets redirected to the Clearpass login-page.
2. Authenticates with a valid account, Clearpass does not send a CoA:
3. The device reconnects by itself after 5+ minutes and have access to the network.

Detailed log attached CoA not ok.txt

When the device is authenticated I can try all the different CoA from the change status tab:

They all work, so I guess that means the setup/flow between Clearpass and the Cisco WLC is working.

The only difference in the Webauth input between the two is:

Found under computed attributes for the working one.

In the detailed logs, the one not working has the following:

INFO Common.TagDefinitionCacheTable - No TagDefCacheMap could be found for instance id = 57625 entity id = 72
INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for Endpoint instance=57625
INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for instanceId=57625|entityId=72|entityName=Endpoint
INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=57625|entity=Endpoint

WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

The self-reg (login) page is setup like this:

We had help trying to set this up, so there has been some experimenting with Controller-initiated login method. I've tried changing from App Authentication to Local, same result.

Any input is much appreciated!

Regards
Joe

The error is indicating that the cache doesn't contain any relevant information for the client device in order to issue the CoA.

Is there a specific reason you're using a CoA workflow rather than controller initiated and straight RADIUS auth?

Hello.

I'm fairly new to Clearpass and Cisco WLC, so hopefully this is rather straight forward for you experts out there :) I've searched the discussion forum, but I havent managed to connect all the dots..

First an working example:

1. Unknown device connects to the wlan and gets redirected to the Clearpass login-page.
2. Authenticates with a valid account, Clearpass sends a CoA:The user sees the 10 sec countdown and:
3. The device reconnects and have access to the network.

Detailed log attached CoA ok.txt.

This happens very rarely, 99% of the time the Webauth occours and the CoA is not sent. Then it looks like this:

1. Unknown device connects to the wlan and gets redirected to the Clearpass login-page.
2. Authenticates with a valid account, Clearpass does not send a CoA:
3. The device reconnects by itself after 5+ minutes and have access to the network.

Detailed log attached CoA not ok.txt

When the device is authenticated I can try all the different CoA from the change status tab:

They all work, so I guess that means the setup/flow between Clearpass and the Cisco WLC is working.

The only difference in the Webauth input between the two is:

Found under computed attributes for the working one.

In the detailed logs, the one not working has the following:

INFO Common.TagDefinitionCacheTable - No TagDefCacheMap could be found for instance id = 57625 entity id = 72
INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for Endpoint instance=57625
INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for instanceId=57625|entityId=72|entityName=Endpoint
INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=57625|entity=Endpoint

WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

The self-reg (login) page is setup like this:

We had help trying to set this up, so there has been some experimenting with Controller-initiated login method. I've tried changing from App Authentication to Local, same result.

Any input is much appreciated!

Regards
Joe

Someone else was hired for setting this up, so I'm not quite sure why the server-initiated were choosen over the controller-initiated. As mentioned its a setup with Cisco WLC and APs, so no Aruba/HP equipment other than Clearpass.

When it comes to the server-initiated method, we have that working flawlessly with Juniper APs. They use a cloud based controller (Mist) vs our Cisco that is on-prem. The guide used for setting up Juniper was this: https://www.mist.com/wp-content/uploads/Mist-Clearpass-Guest-1.pdf

Unfortunately I haven't found anything similar for Cisco.

Its the controller-initiated which is the recommended one then?

The error is indicating that the cache doesn't contain any relevant information for the client device in order to issue the CoA.

Is there a specific reason you're using a CoA workflow rather than controller initiated and straight RADIUS auth?

Hello.

I'm fairly new to Clearpass and Cisco WLC, so hopefully this is rather straight forward for you experts out there :) I've searched the discussion forum, but I havent managed to connect all the dots..

First an working example:

1. Unknown device connects to the wlan and gets redirected to the Clearpass login-page.
2. Authenticates with a valid account, Clearpass sends a CoA:The user sees the 10 sec countdown and:
3. The device reconnects and have access to the network.

Detailed log attached CoA ok.txt.

This happens very rarely, 99% of the time the Webauth occours and the CoA is not sent. Then it looks like this:

1. Unknown device connects to the wlan and gets redirected to the Clearpass login-page.
2. Authenticates with a valid account, Clearpass does not send a CoA:
3. The device reconnects by itself after 5+ minutes and have access to the network.

Detailed log attached CoA not ok.txt

When the device is authenticated I can try all the different CoA from the change status tab:

They all work, so I guess that means the setup/flow between Clearpass and the Cisco WLC is working.

The only difference in the Webauth input between the two is:

Found under computed attributes for the working one.

In the detailed logs, the one not working has the following:

INFO Common.TagDefinitionCacheTable - No TagDefCacheMap could be found for instance id = 57625 entity id = 72
INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for Endpoint instance=57625
INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for instanceId=57625|entityId=72|entityName=Endpoint
INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=57625|entity=Endpoint

WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

The self-reg (login) page is setup like this:

We had help trying to set this up, so there has been some experimenting with Controller-initiated login method. I've tried changing from App Authentication to Local, same result.

Any input is much appreciated!

Regards
Joe

Seems like I got it working. Compared the working config for Juniper APs and found this thread confirming the mismatch: https://community.arubanetworks.com/discussion/radius-coa-webauth-policy#bmc58f27b4-23c6-4c7d-9020-348f5ad7c566

So now the CoA works every time.

Someone else was hired for setting this up, so I'm not quite sure why the server-initiated were choosen over the controller-initiated. As mentioned its a setup with Cisco WLC and APs, so no Aruba/HP equipment other than Clearpass.

When it comes to the server-initiated method, we have that working flawlessly with Juniper APs. They use a cloud based controller (Mist) vs our Cisco that is on-prem. The guide used for setting up Juniper was this: https://www.mist.com/wp-content/uploads/Mist-Clearpass-Guest-1.pdf

Unfortunately I haven't found anything similar for Cisco.

Its the controller-initiated which is the recommended one then?

The error is indicating that the cache doesn't contain any relevant information for the client device in order to issue the CoA.

Is there a specific reason you're using a CoA workflow rather than controller initiated and straight RADIUS auth?

Hello.

I'm fairly new to Clearpass and Cisco WLC, so hopefully this is rather straight forward for you experts out there :) I've searched the discussion forum, but I havent managed to connect all the dots..

First an working example:

1. Unknown device connects to the wlan and gets redirected to the Clearpass login-page.
2. Authenticates with a valid account, Clearpass sends a CoA:The user sees the 10 sec countdown and:
3. The device reconnects and have access to the network.

Detailed log attached CoA ok.txt.

This happens very rarely, 99% of the time the Webauth occours and the CoA is not sent. Then it looks like this:

1. Unknown device connects to the wlan and gets redirected to the Clearpass login-page.
2. Authenticates with a valid account, Clearpass does not send a CoA:
3. The device reconnects by itself after 5+ minutes and have access to the network.

Detailed log attached CoA not ok.txt

When the device is authenticated I can try all the different CoA from the change status tab:

They all work, so I guess that means the setup/flow between Clearpass and the Cisco WLC is working.

The only difference in the Webauth input between the two is:

Found under computed attributes for the working one.

In the detailed logs, the one not working has the following:

INFO Common.TagDefinitionCacheTable - No TagDefCacheMap could be found for instance id = 57625 entity id = 72
INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for Endpoint instance=57625
INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for instanceId=57625|entityId=72|entityName=Endpoint
INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=57625|entity=Endpoint

WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

The self-reg (login) page is setup like this:

We had help trying to set this up, so there has been some experimenting with Controller-initiated login method. I've tried changing from App Authentication to Local, same result.

Any input is much appreciated!

Regards
Joe