Wired Intelligent Edge

 View Only
  • 1.  CoA from ClearPass to CX failing

    Posted Feb 23, 2024 02:46 PM

    This is a strange one. We have a 6300M switch with ClearPass as the RADIUS server. When attempting to issue a CoA disconnect, using the system-define profile in ClearPass, it fails. A packet capture reveals that the switch is sending back a NAK because of Invalid Request (see pic). The dynamic authorization client is defined on the switch and is using the same shared secret as the RADIUS server. The ClearPass NAD device definition  has dynamic authZ enabled for udp/3799 (default). Any ideas why the switch would be sending back the Invalid-Request?

    PCAP showing NAK being sent from switch for client CoA attempt


  • 2.  RE: CoA from ClearPass to CX failing

    Posted Feb 23, 2024 02:51 PM

    This is what is being sent back from ClearPass:




  • 3.  RE: CoA from ClearPass to CX failing

    Posted Feb 25, 2024 02:21 PM

    I have seen this issue before <Duplicate Request>.

    I suppose this is happening because it could be that either User-name being sent in a different format or maybe Calling Station ID Information.

    I had a similar case with Cisco Switches. It happened that i had to modify the Cisco Enforcement Profile Template parameters to fix it.



    ------------------------------
    Shpat | ACEP | ACMP | ACCP | ACDP |
    -Just an Aruba enthusiast and contributor by cases-
    ------------------------------



  • 4.  RE: CoA from ClearPass to CX failing

    Posted Feb 26, 2024 04:25 AM

    This is Aruba to Aruba. Shouldn't this work out of the box?




  • 5.  RE: CoA from ClearPass to CX failing

    Posted Feb 26, 2024 05:54 AM

    It normally works out of the box. Few things that I have seen are clock differences between ClearPass and the switch, and time should be in sync to prevent replay attacks; and if you have virtual IPs on ClearPass, the CoA may come from the VIP or sometimes from the system IP, and the switch must be configured to accept from other IPs. I would check the logs on the switch, as it probably shows the reason that the switch sends a NAK. If nothing is in the standard logs, debug logging may show more details.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: CoA from ClearPass to CX failing

    Posted Feb 26, 2024 06:03 AM

    Thanks Herman. Time is definitely in sync, as they are both using the same NTP servers. We are using a VIP, but all physical IPs and the VIP are configured as RADIUS dynamic-authZ servers on the switch. Nothing stands out in the logs. I do have a TAC case open, but so far we haven't gotten far with them.




  • 7.  RE: CoA from ClearPass to CX failing

    Posted Feb 26, 2024 04:35 PM

    one other thing that you might want to check is to use the following command on the CX switch to ensure the requests are coming from one source. and then to use that IP address in NAD configuration in ClearPass.

    ip source-interface radius interface XXX



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------