Security

 View Only
Expand all | Collapse all

CoA from CLEARPASS to the switch doesn't work

This thread has been viewed 63 times
  • 1.  CoA from CLEARPASS to the switch doesn't work

    Posted Jan 11, 2023 09:47 AM
    Hi All,
    I am trying to enforce CoA of [AOS-CX - Bounce Switch Port] and gets this status message on the Access Tracker:
    Radius [AOS-CX - Bounce Switch Port] failed for client 705a0f46e6e8


    Any suggestions how I can fix it ?

    I have just configured snmpv3 on the switch and under "Devices" on CPPM for that switch.



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------


  • 2.  RE: CoA from CLEARPASS to the switch doesn't work

    Posted Jan 11, 2023 09:54 AM
    Is this an AOS-CX switch?  Is UDP/3799 open from ClearPass to the switch?  Do you have Dynamic Author configured on the switch?

    SNMPv3 is not needed or used in this flow.  Do you not have CoA or RADIUS enabled for the switch within ClearPass at all?


  • 3.  RE: CoA from CLEARPASS to the switch doesn't work

    Posted Jan 11, 2023 04:12 PM
    the port bounce uses RADIUS CoA, so on the switch you need to configure 

    radius dyn-authorization enable
    !
    radius dyn-authorization client <ip addr> secret-key ciphertext <blah> vrf < optional>

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 4.  RE: CoA from CLEARPASS to the switch doesn't work

    Posted Jan 11, 2023 06:01 PM
    Also be sure your switch clock is synced by a NTP server.

    ------------------------------
    Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 5.  RE: CoA from CLEARPASS to the switch doesn't work

    Posted Jan 12, 2023 10:15 AM
    Thank you.
    They are synchronized

    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------



  • 6.  RE: CoA from CLEARPASS to the switch doesn't work

    Posted Jan 12, 2023 10:16 AM
    I enabled it.
    Probably not the issue in this case.

    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------



  • 7.  RE: CoA from CLEARPASS to the switch doesn't work

    Posted Jan 12, 2023 10:15 AM
    Yes,
    It is an AOS-CX switch. I have a rule in the FW from switch mgmt IP (as source) to the CP (As destination)that allows any.
    Do you think I need an additional rule from CP as a source to switch as a destination (with port 3799)?
    Yes, I have Dynamic authorization configured. here are the configurations:
    radius dyn-authorization enable
    radius dyn-authorization client 192.168.10.90 secret-key ciphertext "AQBapV40"
    radius dyn-authorization client 192.168.10.93 secret-key ciphertext "AQBapV40"

    I do have radius enabled. I already succeed in making the CP send to the switch a user-role name in an enforcement profile.

    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------



  • 8.  RE: CoA from CLEARPASS to the switch doesn't work

    Posted Jan 15, 2023 06:51 AM

    I don't see any traffic on the FW from the CP to the switch (They are in different segments).

    So there is no UDP 3799 I can see.

    Any chance the CP doesn't send it for some reason ?



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------



  • 9.  RE: CoA from CLEARPASS to the switch doesn't work

    Posted Jan 16, 2023 02:48 AM
    Edited by GorazdKikelj Jan 16, 2023 02:54 AM
    Did you configure radius dyn-authorization on the correct vrf ?
    Just for the sake of completeness you did enable dyn-auth on the clearpass device definition for the switch?


    Best, Gorazd

    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------



  • 10.  RE: CoA from CLEARPASS to the switch doesn't work

    Posted Jan 16, 2023 02:56 AM
    Yes,
    On the default vrf
    **************** output ******************
    radius dyn-authorization enable
    radius dyn-authorization client 192.168.10.90 secret-key ciphertext "AQBapV40"
    radius dyn-authorization client 192.168.10.93 secret-key ciphertext "AQBapV40"
    *****************************************


    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------



  • 11.  RE: CoA from CLEARPASS to the switch doesn't work

    Posted Jan 16, 2023 09:54 AM
    Hi, is the RADIUS server key the same as for the radius dyn-authorization?

    The key has to be AQBapV40 for both in the switch and in Clearpass.


  • 12.  RE: CoA from CLEARPASS to the switch doesn't work

    Posted Jan 17, 2023 04:35 AM
    There is a chance this was the issue.
    Double-check it as we speak.

    Thank you

    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------