And what are the COA steps? I simply cannot find information about them.
Thanks.
Original Message:
Sent: Jul 02, 2024 08:36 AM
From: lord
Subject: Clearpass Onguard problem
CoA is probably not working.
Make sure that ClearPass and WLAN controller synchronize the original time with the same NTP server.
Make sure that RADIUS CoA is enabled in the ClearPass network device.
ClerPass uses UDP 3799 for CoA by default. Make sure that ClearPass can reach the controller via this port.
Authorization Radius Authorization or RFC 3576 Server must also be configured in the WLAN controller.
Please post enforcement from the web-auth service.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jul 02, 2024 03:45 AM
From: Razovnyik
Subject: Clearpass Onguard problem
Yeah I viewed that video, and configured everything like Herman.
Yet it seems the [ArubaOS Wireless - Terminate Session] enforcement profile has no effect, because after the Posture Scan, there is no connection bounce or anything like that.
So I am clueless now.
Original Message:
Sent: Jul 01, 2024 05:24 AM
From: lord
Subject: Clearpass Onguard problem
Yes, I know, it's a difficult topic, but please don't give up.
The port bounce does not happen automatically, you have to configure it. In the web-auth service you have to send either coa in a RADIUS_DynAuthZ or bounce-client in an agent-enforcement-profile. If you use coa, you must also set up Dynamic Authorization in the WLAN. With agent enforcement, the agent bounces the port on the client side independently of Dynamic Authorization. It's a matter of taste, I use the agent variant.
Have you watched any videos of Herman? He explains it very well.
https://m.youtube.com/watch?v=l5Rt2K8KJiE
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jul 01, 2024 03:59 AM
From: Razovnyik
Subject: Clearpass Onguard problem
The tricky part is that I have configured this feature already. (Based on the official guide)
And yet the port bounce does not happens :(
Do I have to configure something on the AP - WLAN side? like enable Dynamic Authorization? I did it already, and did not solve it.
Original Message:
Sent: Jun 29, 2024 04:31 AM
From: lord
Subject: Clearpass Onguard problem
When using Onguard there is the following dependency:
1. First WLAN dot.1x-Auth - Posture state is UNKOWN, because no status has yet been transmitted by the agent
2. Web-Auth by the agent - posture status is transmitted, a port bounce must occur at this point so that the posture status can be evaluated.
3. Second WLAN dot.1x-Auth - At this point, the dot.1x service must evaluate the posture code. However, it does not see it because the dot1x-wlan service and the web-auth service do not communicate with each other.
The trick is to activate "Use Cached Results" in the Enforcement tab.
Then the dot.1x-Auth service can read the posture code from the endpoint cache. Then everything works as desired.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jun 28, 2024 05:02 AM
From: Razovnyik
Subject: Clearpass Onguard problem