Doing some pre-production testing of AOS8 and thought I'd have a play with the cluster COA VIP functionality. I've already tested failover between controllers so I know how well that works.
To test COA after a failover my thinking was to reboot the UAC, then try issuing a COA from clearpass. However it looks like the controller terminated the authentication session as it went down. So although I flipped across to the other controller and remained connected, Clearpass thinks the session has ended, so I can't issue a COA.
After a short time Clearpass receives some accounting data from the second controller. The accounting tab then shows the user session as active again, but the summary tab shows the user is offline. Eventually the online status becomes "not available". By this stage the original UAC is back online. I can then issue a COA, which gets no response from the network device - which makes sense because that VIP is back with the controller that no longer has that user.
This would appear not to be the expected behaviour, given all the thought that's gone into setting up the COA VIP, so the question is: have I got something configured incorrectly?