Does a manual CoA from Access Tracker (Change Status) work for these devices/switches?
If that works, easiest may be an API call to ClearPass to 1) change the endpoint status to Unknown, then wait few seconds and 2) Send CoA for the client.
I don't know how time critical this is, but you could also consider periodic reauthentication, let's say every hour or even 30 minutes; then either static on the switch configuration or use the IETF:Session-Timeout to send the reauthentication interval dynamically from your policy.
I'm not aware of an automatic CoA if an Endpoint attribute is changed by a ClearPass admin. As another option, the admin that changes the endpoint may manually trigger a CoA after changing the attribute and determining that this is time-critical. To do that search by Client MAC in Access Tracker and trigger a 'Change Status'.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jan 02, 2023 09:06 AM
From: owais iqbal
Subject: Clearpass Endpoint unknown = CoA bounce
Dear Experts,
One of the customers want to achieve the following. They are already doing it successfully in PulseSecure but not sure how to achieve the same workflow in CPPM
1) Device gets added to Endpoint as known after successful authentication
2) Port information from Cisco/huawei switch is not accurate. Its not showing the port information correctly,
3) Customer wants to disapprove an endpoint so that if they change its status from known to unknow, it should trigger the CoA so that the device gets re-authenticated (mac auth) and this time matches the rule where it says if endpoint status is unknown = deny access profile.
How to achieve item# 3 in the most efficient manner? can someone advise?
------------------------------
owais
------------------------------