Security

Hi.
I'm setup Clearpass Service adding Profiler Endpoint on Service.

but on new device firt connect to SSID. CLearpass output Alert Cannot Failed to get value for attributes=[Category].
When device 2nd connection it is works fine .
On Switch I Have config DHCP-Relay to Clearpass.
I don't understand why in the Endpoint attribute there is information that the endpoint category is Computer but the Alert still says Cannot Failed to get value for attributes=[Category]. is this a bug of Clearpass 6.9.0.130064? 

Many Tks

------------------------------
Le Tan
------------------------------

That is exactly what I would expect. At the first connect, there is no profiling information available, and that is what the error message is telling (and thus it is harmless as well).

After that first authentication, the DHCP relay will share information to ClearPass and will, and should trigger a Change-of -Authorization ([Terminate Wireless Session]). So at the time of the authentication, the profiling information is not there, shortly after it is there, but after the authentication.

That means the second authentication will have access to the profiling information.

If you don't see the automatic reauthentication, check your CoA/RFC3579 settings on both ClearPass and your AP/switch/controller, and check with a manual Change Status from Access Tracker if CoA works.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 18, 2021 10:58 PM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Hi.
I'm setup Clearpass Service adding Profiler Endpoint on Service.

but on new device firt connect to SSID. CLearpass output Alert Cannot Failed to get value for attributes=[Category].
When device 2nd connection it is works fine .
On Switch I Have config DHCP-Relay to Clearpass.
I don't understand why in the Endpoint attribute there is information that the endpoint category is Computer but the Alert still says Cannot Failed to get value for attributes=[Category]. is this a bug of Clearpass 6.9.0.130064? 

Many Tks

------------------------------
Le Tan
------------------------------

Dear Herman Robert.
Tks for response.
On Clearpass and IAP i have config RFC 3579.
But on access tracker i don't see tab Radius COA and i can't change status on access tracker manual to Radius COA

I think Clearpass don't sent Radius CoA althought i have config action is Radius CoA [ArubaOS Wireless - Terminate Session]
many tks.
------------------------------
Le Tan
------------------------------

Original Message:
Sent: Aug 23, 2021 11:05 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

That is exactly what I would expect. At the first connect, there is no profiling information available, and that is what the error message is telling (and thus it is harmless as well).

After that first authentication, the DHCP relay will share information to ClearPass and will, and should trigger a Change-of -Authorization ([Terminate Wireless Session]). So at the time of the authentication, the profiling information is not there, shortly after it is there, but after the authentication.

That means the second authentication will have access to the profiling information.

If you don't see the automatic reauthentication, check your CoA/RFC3579 settings on both ClearPass and your AP/switch/controller, and check with a manual Change Status from Access Tracker if CoA works.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 18, 2021 10:58 PM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Hi.
I'm setup Clearpass Service adding Profiler Endpoint on Service.

but on new device firt connect to SSID. CLearpass output Alert Cannot Failed to get value for attributes=[Category].
When device 2nd connection it is works fine .
On Switch I Have config DHCP-Relay to Clearpass.
I don't understand why in the Endpoint attribute there is information that the endpoint category is Computer but the Alert still says Cannot Failed to get value for attributes=[Category]. is this a bug of Clearpass 6.9.0.130064? 

Many Tks

------------------------------
Le Tan
------------------------------

Did you enable accounting on your SSID? If the 'Change Status' does not offer the Terminate Session there is something wrong with the configuration. What you show above looks okayish, just I think you don't need rfc5997 set (I have it mostly disabled). Accounting is configured on the SSID, not on the RADIUS server.

This is how CoA / Change Status should look like: https://youtu.be/-5_wdyQmpXE?t=240

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 24, 2021 03:21 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Dear Herman Robert.
Tks for response.
On Clearpass and IAP i have config RFC 3579.
But on access tracker i don't see tab Radius COA and i can't change status on access tracker manual to Radius COA

I think Clearpass don't sent Radius CoA althought i have config action is Radius CoA [ArubaOS Wireless - Terminate Session]
many tks.
------------------------------
Le Tan

Original Message:
Sent: Aug 23, 2021 11:05 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

That is exactly what I would expect. At the first connect, there is no profiling information available, and that is what the error message is telling (and thus it is harmless as well).

After that first authentication, the DHCP relay will share information to ClearPass and will, and should trigger a Change-of -Authorization ([Terminate Wireless Session]). So at the time of the authentication, the profiling information is not there, shortly after it is there, but after the authentication.

That means the second authentication will have access to the profiling information.

If you don't see the automatic reauthentication, check your CoA/RFC3579 settings on both ClearPass and your AP/switch/controller, and check with a manual Change Status from Access Tracker if CoA works.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 18, 2021 10:58 PM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Hi.
I'm setup Clearpass Service adding Profiler Endpoint on Service.

but on new device firt connect to SSID. CLearpass output Alert Cannot Failed to get value for attributes=[Category].
When device 2nd connection it is works fine .
On Switch I Have config DHCP-Relay to Clearpass.
I don't understand why in the Endpoint attribute there is information that the endpoint category is Computer but the Alert still says Cannot Failed to get value for attributes=[Category]. is this a bug of Clearpass 6.9.0.130064? 

Many Tks

------------------------------
Le Tan
------------------------------

TKs Herman.
I has turnoff RFC 5997 and enable accounting on SSID. but i don't see Radius CoA Table

plz check log i attached this message.
many tks Herman

------------------------------
Le Tan
------------------------------

Original Message:
Sent: Aug 24, 2021 03:43 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Did you enable accounting on your SSID? If the 'Change Status' does not offer the Terminate Session there is something wrong with the configuration. What you show above looks okayish, just I think you don't need rfc5997 set (I have it mostly disabled). Accounting is configured on the SSID, not on the RADIUS server.

This is how CoA / Change Status should look like: https://youtu.be/-5_wdyQmpXE?t=240

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 03:21 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Dear Herman Robert.
Tks for response.
On Clearpass and IAP i have config RFC 3579.
But on access tracker i don't see tab Radius COA and i can't change status on access tracker manual to Radius COA

I think Clearpass don't sent Radius CoA althought i have config action is Radius CoA [ArubaOS Wireless - Terminate Session]
many tks.
------------------------------
Le Tan

Original Message:
Sent: Aug 23, 2021 11:05 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

That is exactly what I would expect. At the first connect, there is no profiling information available, and that is what the error message is telling (and thus it is harmless as well).

After that first authentication, the DHCP relay will share information to ClearPass and will, and should trigger a Change-of -Authorization ([Terminate Wireless Session]). So at the time of the authentication, the profiling information is not there, shortly after it is there, but after the authentication.

That means the second authentication will have access to the profiling information.

If you don't see the automatic reauthentication, check your CoA/RFC3579 settings on both ClearPass and your AP/switch/controller, and check with a manual Change Status from Access Tracker if CoA works.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 18, 2021 10:58 PM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Hi.
I'm setup Clearpass Service adding Profiler Endpoint on Service.

but on new device firt connect to SSID. CLearpass output Alert Cannot Failed to get value for attributes=[Category].
When device 2nd connection it is works fine .
On Switch I Have config DHCP-Relay to Clearpass.
I don't understand why in the Endpoint attribute there is information that the endpoint category is Computer but the Alert still says Cannot Failed to get value for attributes=[Category]. is this a bug of Clearpass 6.9.0.130064? 

Many Tks

------------------------------
Le Tan
------------------------------

Can't see from those logs the accounting. Can you check if you have Insight enabled on your ClearPass? And if possible the 'Log interim accounting packets' under the RADIUS Service parameters?

Do you see the Accounting tab in access tracker? That indicates that there is proper accounting coming in.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 24, 2021 04:04 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

TKs Herman.
I has turnoff RFC 5997 and enable accounting on SSID. but i don't see Radius CoA Table

plz check log i attached this message.
many tks Herman

------------------------------
Le Tan

Original Message:
Sent: Aug 24, 2021 03:43 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Did you enable accounting on your SSID? If the 'Change Status' does not offer the Terminate Session there is something wrong with the configuration. What you show above looks okayish, just I think you don't need rfc5997 set (I have it mostly disabled). Accounting is configured on the SSID, not on the RADIUS server.

This is how CoA / Change Status should look like: https://youtu.be/-5_wdyQmpXE?t=240

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 03:21 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Dear Herman Robert.
Tks for response.
On Clearpass and IAP i have config RFC 3579.
But on access tracker i don't see tab Radius COA and i can't change status on access tracker manual to Radius COA

I think Clearpass don't sent Radius CoA althought i have config action is Radius CoA [ArubaOS Wireless - Terminate Session]
many tks.
------------------------------
Le Tan

Original Message:
Sent: Aug 23, 2021 11:05 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

That is exactly what I would expect. At the first connect, there is no profiling information available, and that is what the error message is telling (and thus it is harmless as well).

After that first authentication, the DHCP relay will share information to ClearPass and will, and should trigger a Change-of -Authorization ([Terminate Wireless Session]). So at the time of the authentication, the profiling information is not there, shortly after it is there, but after the authentication.

That means the second authentication will have access to the profiling information.

If you don't see the automatic reauthentication, check your CoA/RFC3579 settings on both ClearPass and your AP/switch/controller, and check with a manual Change Status from Access Tracker if CoA works.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 18, 2021 10:58 PM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Hi.
I'm setup Clearpass Service adding Profiler Endpoint on Service.

but on new device firt connect to SSID. CLearpass output Alert Cannot Failed to get value for attributes=[Category].
When device 2nd connection it is works fine .
On Switch I Have config DHCP-Relay to Clearpass.
I don't understand why in the Endpoint attribute there is information that the endpoint category is Computer but the Alert still says Cannot Failed to get value for attributes=[Category]. is this a bug of Clearpass 6.9.0.130064? 

Many Tks

------------------------------
Le Tan
------------------------------

Dear Herman.
I tried backing up the config from the failed CLearpass and restoring to other CLearpass device in another environment, there was a Radius CoA tab. I don't understand why Clearpass's customer doesn't have the Radius CoA information sent. 2 Clearpass is the same firmware 6.9.0.130064
In another Clearpass. 2 Clearpass is the same config


------------------------------
Le Tan
------------------------------

Original Message:
Sent: Aug 24, 2021 04:35 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Can't see from those logs the accounting. Can you check if you have Insight enabled on your ClearPass? And if possible the 'Log interim accounting packets' under the RADIUS Service parameters?

Do you see the Accounting tab in access tracker? That indicates that there is proper accounting coming in.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 04:04 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

TKs Herman.
I has turnoff RFC 5997 and enable accounting on SSID. but i don't see Radius CoA Table

plz check log i attached this message.
many tks Herman

------------------------------
Le Tan

Original Message:
Sent: Aug 24, 2021 03:43 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Did you enable accounting on your SSID? If the 'Change Status' does not offer the Terminate Session there is something wrong with the configuration. What you show above looks okayish, just I think you don't need rfc5997 set (I have it mostly disabled). Accounting is configured on the SSID, not on the RADIUS server.

This is how CoA / Change Status should look like: https://youtu.be/-5_wdyQmpXE?t=240

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 03:21 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Dear Herman Robert.
Tks for response.
On Clearpass and IAP i have config RFC 3579.
But on access tracker i don't see tab Radius COA and i can't change status on access tracker manual to Radius COA

I think Clearpass don't sent Radius CoA althought i have config action is Radius CoA [ArubaOS Wireless - Terminate Session]
many tks.
------------------------------
Le Tan

Original Message:
Sent: Aug 23, 2021 11:05 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

That is exactly what I would expect. At the first connect, there is no profiling information available, and that is what the error message is telling (and thus it is harmless as well).

After that first authentication, the DHCP relay will share information to ClearPass and will, and should trigger a Change-of -Authorization ([Terminate Wireless Session]). So at the time of the authentication, the profiling information is not there, shortly after it is there, but after the authentication.

That means the second authentication will have access to the profiling information.

If you don't see the automatic reauthentication, check your CoA/RFC3579 settings on both ClearPass and your AP/switch/controller, and check with a manual Change Status from Access Tracker if CoA works.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 18, 2021 10:58 PM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Hi.
I'm setup Clearpass Service adding Profiler Endpoint on Service.

but on new device firt connect to SSID. CLearpass output Alert Cannot Failed to get value for attributes=[Category].
When device 2nd connection it is works fine .
On Switch I Have config DHCP-Relay to Clearpass.
I don't understand why in the Endpoint attribute there is information that the endpoint category is Computer but the Alert still says Cannot Failed to get value for attributes=[Category]. is this a bug of Clearpass 6.9.0.130064? 

Many Tks

------------------------------
Le Tan
------------------------------

If you don't have accounting, the CoA will not work.

Further, I would strongly recommend to upgrade to the latest 6.9 hotfix, don't stick in the 6.9.0 version if there are updates available. I don't think there were specific fixes for CoA in 6.9 patch releases, but if you deploy a new ClearPass upgrade to the latest patch that is available.

In case you are not able to get your accounting working, please work with your Aruba partner or Aruba support.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 24, 2021 04:57 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Dear Herman.
I tried backing up the config from the failed CLearpass and restoring to other CLearpass device in another environment, there was a Radius CoA tab. I don't understand why Clearpass's customer doesn't have the Radius CoA information sent. 2 Clearpass is the same firmware 6.9.0.130064
In another Clearpass. 2 Clearpass is the same config


------------------------------
Le Tan

Original Message:
Sent: Aug 24, 2021 04:35 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Can't see from those logs the accounting. Can you check if you have Insight enabled on your ClearPass? And if possible the 'Log interim accounting packets' under the RADIUS Service parameters?

Do you see the Accounting tab in access tracker? That indicates that there is proper accounting coming in.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 04:04 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

TKs Herman.
I has turnoff RFC 5997 and enable accounting on SSID. but i don't see Radius CoA Table

plz check log i attached this message.
many tks Herman

------------------------------
Le Tan

Original Message:
Sent: Aug 24, 2021 03:43 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Did you enable accounting on your SSID? If the 'Change Status' does not offer the Terminate Session there is something wrong with the configuration. What you show above looks okayish, just I think you don't need rfc5997 set (I have it mostly disabled). Accounting is configured on the SSID, not on the RADIUS server.

This is how CoA / Change Status should look like: https://youtu.be/-5_wdyQmpXE?t=240

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 03:21 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Dear Herman Robert.
Tks for response.
On Clearpass and IAP i have config RFC 3579.
But on access tracker i don't see tab Radius COA and i can't change status on access tracker manual to Radius COA

I think Clearpass don't sent Radius CoA althought i have config action is Radius CoA [ArubaOS Wireless - Terminate Session]
many tks.
------------------------------
Le Tan

Original Message:
Sent: Aug 23, 2021 11:05 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

That is exactly what I would expect. At the first connect, there is no profiling information available, and that is what the error message is telling (and thus it is harmless as well).

After that first authentication, the DHCP relay will share information to ClearPass and will, and should trigger a Change-of -Authorization ([Terminate Wireless Session]). So at the time of the authentication, the profiling information is not there, shortly after it is there, but after the authentication.

That means the second authentication will have access to the profiling information.

If you don't see the automatic reauthentication, check your CoA/RFC3579 settings on both ClearPass and your AP/switch/controller, and check with a manual Change Status from Access Tracker if CoA works.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 18, 2021 10:58 PM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Hi.
I'm setup Clearpass Service adding Profiler Endpoint on Service.

but on new device firt connect to SSID. CLearpass output Alert Cannot Failed to get value for attributes=[Category].
When device 2nd connection it is works fine .
On Switch I Have config DHCP-Relay to Clearpass.
I don't understand why in the Endpoint attribute there is information that the endpoint category is Computer but the Alert still says Cannot Failed to get value for attributes=[Category]. is this a bug of Clearpass 6.9.0.130064? 

Many Tks

------------------------------
Le Tan
------------------------------

Dear Herman.
in Access tracker i see tab Accounting when i turn-on Account on SSID in IAP. but no have TAB Radius CoA.
I'm not sure where I've misconfigured. Clearpass on my lab working fine, but on customer is fail
And I enable accounting on Service Parameter all Clearpass in cluster


------------------------------
Le Tan
------------------------------

Original Message:
Sent: Aug 24, 2021 05:12 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

If you don't have accounting, the CoA will not work.

Further, I would strongly recommend to upgrade to the latest 6.9 hotfix, don't stick in the 6.9.0 version if there are updates available. I don't think there were specific fixes for CoA in 6.9 patch releases, but if you deploy a new ClearPass upgrade to the latest patch that is available.

In case you are not able to get your accounting working, please work with your Aruba partner or Aruba support.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 04:57 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Dear Herman.
I tried backing up the config from the failed CLearpass and restoring to other CLearpass device in another environment, there was a Radius CoA tab. I don't understand why Clearpass's customer doesn't have the Radius CoA information sent. 2 Clearpass is the same firmware 6.9.0.130064
In another Clearpass. 2 Clearpass is the same config


------------------------------
Le Tan

Original Message:
Sent: Aug 24, 2021 04:35 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Can't see from those logs the accounting. Can you check if you have Insight enabled on your ClearPass? And if possible the 'Log interim accounting packets' under the RADIUS Service parameters?

Do you see the Accounting tab in access tracker? That indicates that there is proper accounting coming in.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 04:04 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

TKs Herman.
I has turnoff RFC 5997 and enable accounting on SSID. but i don't see Radius CoA Table

plz check log i attached this message.
many tks Herman

------------------------------
Le Tan

Original Message:
Sent: Aug 24, 2021 03:43 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Did you enable accounting on your SSID? If the 'Change Status' does not offer the Terminate Session there is something wrong with the configuration. What you show above looks okayish, just I think you don't need rfc5997 set (I have it mostly disabled). Accounting is configured on the SSID, not on the RADIUS server.

This is how CoA / Change Status should look like: https://youtu.be/-5_wdyQmpXE?t=240

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 03:21 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Dear Herman Robert.
Tks for response.
On Clearpass and IAP i have config RFC 3579.
But on access tracker i don't see tab Radius COA and i can't change status on access tracker manual to Radius COA

I think Clearpass don't sent Radius CoA althought i have config action is Radius CoA [ArubaOS Wireless - Terminate Session]
many tks.
------------------------------
Le Tan

Original Message:
Sent: Aug 23, 2021 11:05 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

That is exactly what I would expect. At the first connect, there is no profiling information available, and that is what the error message is telling (and thus it is harmless as well).

After that first authentication, the DHCP relay will share information to ClearPass and will, and should trigger a Change-of -Authorization ([Terminate Wireless Session]). So at the time of the authentication, the profiling information is not there, shortly after it is there, but after the authentication.

That means the second authentication will have access to the profiling information.

If you don't see the automatic reauthentication, check your CoA/RFC3579 settings on both ClearPass and your AP/switch/controller, and check with a manual Change Status from Access Tracker if CoA works.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 18, 2021 10:58 PM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Hi.
I'm setup Clearpass Service adding Profiler Endpoint on Service.

but on new device firt connect to SSID. CLearpass output Alert Cannot Failed to get value for attributes=[Category].
When device 2nd connection it is works fine .
On Switch I Have config DHCP-Relay to Clearpass.
I don't understand why in the Endpoint attribute there is information that the endpoint category is Computer but the Alert still says Cannot Failed to get value for attributes=[Category]. is this a bug of Clearpass 6.9.0.130064? 

Many Tks

------------------------------
Le Tan
------------------------------

Dear Herman,
many tks for support.
I'm updated to lastest 6.9 is 6.9.6 and in firts time connect of client, i can manual edit Radius CoA in Change Status Access tracker.
But Clearpass Still don't Sent Radius CoA automatic.

After i change manual Radius CoA on ACcess tracker
Is this a bug and I need to open the TAC Case?

------------------------------
Le Tan
------------------------------

Original Message:
Sent: Aug 24, 2021 05:12 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

If you don't have accounting, the CoA will not work.

Further, I would strongly recommend to upgrade to the latest 6.9 hotfix, don't stick in the 6.9.0 version if there are updates available. I don't think there were specific fixes for CoA in 6.9 patch releases, but if you deploy a new ClearPass upgrade to the latest patch that is available.

In case you are not able to get your accounting working, please work with your Aruba partner or Aruba support.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 04:57 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Dear Herman.
I tried backing up the config from the failed CLearpass and restoring to other CLearpass device in another environment, there was a Radius CoA tab. I don't understand why Clearpass's customer doesn't have the Radius CoA information sent. 2 Clearpass is the same firmware 6.9.0.130064
In another Clearpass. 2 Clearpass is the same config


------------------------------
Le Tan

Original Message:
Sent: Aug 24, 2021 04:35 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Can't see from those logs the accounting. Can you check if you have Insight enabled on your ClearPass? And if possible the 'Log interim accounting packets' under the RADIUS Service parameters?

Do you see the Accounting tab in access tracker? That indicates that there is proper accounting coming in.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 04:04 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

TKs Herman.
I has turnoff RFC 5997 and enable accounting on SSID. but i don't see Radius CoA Table

plz check log i attached this message.
many tks Herman

------------------------------
Le Tan

Original Message:
Sent: Aug 24, 2021 03:43 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Did you enable accounting on your SSID? If the 'Change Status' does not offer the Terminate Session there is something wrong with the configuration. What you show above looks okayish, just I think you don't need rfc5997 set (I have it mostly disabled). Accounting is configured on the SSID, not on the RADIUS server.

This is how CoA / Change Status should look like: https://youtu.be/-5_wdyQmpXE?t=240

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 03:21 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Dear Herman Robert.
Tks for response.
On Clearpass and IAP i have config RFC 3579.
But on access tracker i don't see tab Radius COA and i can't change status on access tracker manual to Radius COA

I think Clearpass don't sent Radius CoA althought i have config action is Radius CoA [ArubaOS Wireless - Terminate Session]
many tks.
------------------------------
Le Tan

Original Message:
Sent: Aug 23, 2021 11:05 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

That is exactly what I would expect. At the first connect, there is no profiling information available, and that is what the error message is telling (and thus it is harmless as well).

After that first authentication, the DHCP relay will share information to ClearPass and will, and should trigger a Change-of -Authorization ([Terminate Wireless Session]). So at the time of the authentication, the profiling information is not there, shortly after it is there, but after the authentication.

That means the second authentication will have access to the profiling information.

If you don't see the automatic reauthentication, check your CoA/RFC3579 settings on both ClearPass and your AP/switch/controller, and check with a manual Change Status from Access Tracker if CoA works.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 18, 2021 10:58 PM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Hi.
I'm setup Clearpass Service adding Profiler Endpoint on Service.

but on new device firt connect to SSID. CLearpass output Alert Cannot Failed to get value for attributes=[Category].
When device 2nd connection it is works fine .
On Switch I Have config DHCP-Relay to Clearpass.
I don't understand why in the Endpoint attribute there is information that the endpoint category is Computer but the Alert still says Cannot Failed to get value for attributes=[Category]. is this a bug of Clearpass 6.9.0.130064? 

Many Tks

------------------------------
Le Tan
------------------------------

If you configured the CoA action in the profiling tab of your service, and manual Change Status/CoA works, but the automatic CoA doesn't, then yes that is not as expected and you can open a TAC case to get that validated.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 24, 2021 09:17 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Dear Herman,
many tks for support.
I'm updated to lastest 6.9 is 6.9.6 and in firts time connect of client, i can manual edit Radius CoA in Change Status Access tracker.
But Clearpass Still don't Sent Radius CoA automatic.

After i change manual Radius CoA on ACcess tracker
Is this a bug and I need to open the TAC Case?

------------------------------
Le Tan

Original Message:
Sent: Aug 24, 2021 05:12 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

If you don't have accounting, the CoA will not work.

Further, I would strongly recommend to upgrade to the latest 6.9 hotfix, don't stick in the 6.9.0 version if there are updates available. I don't think there were specific fixes for CoA in 6.9 patch releases, but if you deploy a new ClearPass upgrade to the latest patch that is available.

In case you are not able to get your accounting working, please work with your Aruba partner or Aruba support.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 04:57 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Dear Herman.
I tried backing up the config from the failed CLearpass and restoring to other CLearpass device in another environment, there was a Radius CoA tab. I don't understand why Clearpass's customer doesn't have the Radius CoA information sent. 2 Clearpass is the same firmware 6.9.0.130064
In another Clearpass. 2 Clearpass is the same config


------------------------------
Le Tan

Original Message:
Sent: Aug 24, 2021 04:35 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Can't see from those logs the accounting. Can you check if you have Insight enabled on your ClearPass? And if possible the 'Log interim accounting packets' under the RADIUS Service parameters?

Do you see the Accounting tab in access tracker? That indicates that there is proper accounting coming in.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 04:04 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

TKs Herman.
I has turnoff RFC 5997 and enable accounting on SSID. but i don't see Radius CoA Table

plz check log i attached this message.
many tks Herman

------------------------------
Le Tan

Original Message:
Sent: Aug 24, 2021 03:43 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Did you enable accounting on your SSID? If the 'Change Status' does not offer the Terminate Session there is something wrong with the configuration. What you show above looks okayish, just I think you don't need rfc5997 set (I have it mostly disabled). Accounting is configured on the SSID, not on the RADIUS server.

This is how CoA / Change Status should look like: https://youtu.be/-5_wdyQmpXE?t=240

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 24, 2021 03:21 AM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Dear Herman Robert.
Tks for response.
On Clearpass and IAP i have config RFC 3579.
But on access tracker i don't see tab Radius COA and i can't change status on access tracker manual to Radius COA

I think Clearpass don't sent Radius CoA althought i have config action is Radius CoA [ArubaOS Wireless - Terminate Session]
many tks.
------------------------------
Le Tan

Original Message:
Sent: Aug 23, 2021 11:05 AM
From: Herman Robers
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

That is exactly what I would expect. At the first connect, there is no profiling information available, and that is what the error message is telling (and thus it is harmless as well).

After that first authentication, the DHCP relay will share information to ClearPass and will, and should trigger a Change-of -Authorization ([Terminate Wireless Session]). So at the time of the authentication, the profiling information is not there, shortly after it is there, but after the authentication.

That means the second authentication will have access to the profiling information.

If you don't see the automatic reauthentication, check your CoA/RFC3579 settings on both ClearPass and your AP/switch/controller, and check with a manual Change Status from Access Tracker if CoA works.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 18, 2021 10:58 PM
From: Le Tan
Subject: Clearpass Device Computer Alert Cannot Failed to get value for attributes=[Category]. Althought there is a DHCP-Relay

Hi.
I'm setup Clearpass Service adding Profiler Endpoint on Service.

but on new device firt connect to SSID. CLearpass output Alert Cannot Failed to get value for attributes=[Category].
When device 2nd connection it is works fine .
On Switch I Have config DHCP-Relay to Clearpass.
I don't understand why in the Endpoint attribute there is information that the endpoint category is Computer but the Alert still says Cannot Failed to get value for attributes=[Category]. is this a bug of Clearpass 6.9.0.130064? 

Many Tks

------------------------------
Le Tan
------------------------------