It normally works out of the box. Few things that I have seen are clock differences between ClearPass and the switch, and time should be in sync to prevent replay attacks; and if you have virtual IPs on ClearPass, the CoA may come from the VIP or sometimes from the system IP, and the switch must be configured to accept from other IPs. I would check the logs on the switch, as it probably shows the reason that the switch sends a NAK. If nothing is in the standard logs, debug logging may show more details.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Feb 26, 2024 04:25 AM
From: efisher214
Subject: CoA from ClearPass to CX failing
This is Aruba to Aruba. Shouldn't this work out of the box?
Original Message:
Sent: Feb 25, 2024 02:20 PM
From: shpat
Subject: CoA from ClearPass to CX failing
I have seen this issue before <Duplicate Request>.
I suppose this is happening because it could be that either User-name being sent in a different format or maybe Calling Station ID Information.
I had a similar case with Cisco Switches. It happened that i had to modify the Cisco Enforcement Profile Template parameters to fix it.
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP |
-Just an Aruba enthusiast and contributor by cases
Original Message:
Sent: Feb 23, 2024 02:51 PM
From: efisher214
Subject: CoA from ClearPass to CX failing
This is what is being sent back from ClearPass:
Original Message:
Sent: Feb 23, 2024 02:46 PM
From: efisher214
Subject: CoA from ClearPass to CX failing
This is a strange one. We have a 6300M switch with ClearPass as the RADIUS server. When attempting to issue a CoA disconnect, using the system-define profile in ClearPass, it fails. A packet capture reveals that the switch is sending back a NAK because of Invalid Request (see pic). The dynamic authorization client is defined on the switch and is using the same shared secret as the RADIUS server. The ClearPass NAD device definition has dynamic authZ enabled for udp/3799 (default). Any ideas why the switch would be sending back the Invalid-Request?