Network Management

Hi all

I am using dynamic authorization in lan and it works fine. In Wifi (controller based) it does not work. Wifi clients have the field for CoA grayed out.
What are the requirements that this field is not grayed out and the dropdown with the different "bounces" is available for selection?

Thanks for help

There needs to be an active session for that client. I make sure accounting is working and if possible also interim accounting (enable processing of interim accounting in ClearPass as well).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jun 13, 2025 06:39 AM
From: Richard Schmidli
Subject: CoA is not working/available in Wifi

Hi all

I am using dynamic authorization in lan and it works fine. In Wifi (controller based) it does not work. Wifi clients have the field for CoA grayed out.
What are the requirements that this field is not grayed out and the dropdown with the different "bounces" is available for selection?

Thanks for help

Hello Herman
Thanks for your post. My test client has an active wifi session, and I can see the accounting data. 
For the interim update on ClearPass, I only found this setting, which is set true.

Unfortunately, the "Radius -Dynamic-Authorization" field in Access Tracker is still grayed out. Any other ideas?
If I view the same session in the guest portal under active session, it shows me the following:




(I am currently using CPPM 6.11.11. It was still working a few months ago with an older version. I can't say whether it's since the last update or not.)

Original Message:
Sent: Jun 16, 2025 09:47 AM
From: Herman Robers
Subject: CoA is not working/available in Wifi

There needs to be an active session for that client. I make sure accounting is working and if possible also interim accounting (enable processing of interim accounting in ClearPass as well).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jun 13, 2025 06:39 AM
From: Richard Schmidli
Subject: CoA is not working/available in Wifi

Hi all

I am using dynamic authorization in lan and it works fine. In Wifi (controller based) it does not work. Wifi clients have the field for CoA grayed out.
What are the requirements that this field is not grayed out and the dropdown with the different "bounces" is available for selection?

Thanks for help

In that case, please double-check the Vendor Name as configured in the Network Devices:

It's Aruba for APs/Controllers/Gateways/CX; it's Hewlett Packard Enterprise for AOS-S.  Also make sure Dynamic Authorization is enabled, and the actual source IP and the NAS-IP (if different) are both configured as a Network Device. If that doesn't help, maybe opening a TAC case to find the root cause is best.

Hello Herman
Thanks for your post. My test client has an active wifi session, and I can see the accounting data. 
For the interim update on ClearPass, I only found this setting, which is set true.

Unfortunately, the "Radius -Dynamic-Authorization" field in Access Tracker is still grayed out. Any other ideas?
If I view the same session in the guest portal under active session, it shows me the following:




(I am currently using CPPM 6.11.11. It was still working a few months ago with an older version. I can't say whether it's since the last update or not.)

Original Message:
Sent: Jun 16, 2025 09:47 AM
From: Herman Robers
Subject: CoA is not working/available in Wifi

There needs to be an active session for that client. I make sure accounting is working and if possible also interim accounting (enable processing of interim accounting in ClearPass as well).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jun 13, 2025 06:39 AM
From: Richard Schmidli
Subject: CoA is not working/available in Wifi

Hi all

I am using dynamic authorization in lan and it works fine. In Wifi (controller based) it does not work. Wifi clients have the field for CoA grayed out.
What are the requirements that this field is not grayed out and the dropdown with the different "bounces" is available for selection?

Thanks for help

Thank you Herman. I have already checked all these settings like VSA, Port and IPs, everything seems to be fine. I will open a TAC as suggested.

In that case, please double-check the Vendor Name as configured in the Network Devices:

It's Aruba for APs/Controllers/Gateways/CX; it's Hewlett Packard Enterprise for AOS-S.  Also make sure Dynamic Authorization is enabled, and the actual source IP and the NAS-IP (if different) are both configured as a Network Device. If that doesn't help, maybe opening a TAC case to find the root cause is best.

Hello Herman
Thanks for your post. My test client has an active wifi session, and I can see the accounting data. 
For the interim update on ClearPass, I only found this setting, which is set true.

Unfortunately, the "Radius -Dynamic-Authorization" field in Access Tracker is still grayed out. Any other ideas?
If I view the same session in the guest portal under active session, it shows me the following:




(I am currently using CPPM 6.11.11. It was still working a few months ago with an older version. I can't say whether it's since the last update or not.)

Original Message:
Sent: Jun 16, 2025 09:47 AM
From: Herman Robers
Subject: CoA is not working/available in Wifi

There needs to be an active session for that client. I make sure accounting is working and if possible also interim accounting (enable processing of interim accounting in ClearPass as well).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jun 13, 2025 06:39 AM
From: Richard Schmidli
Subject: CoA is not working/available in Wifi

Hi all

I am using dynamic authorization in lan and it works fine. In Wifi (controller based) it does not work. Wifi clients have the field for CoA grayed out.
What are the requirements that this field is not grayed out and the dropdown with the different "bounces" is available for selection?

Thanks for help

Did you enable RFC 3576 in AAA profile and add RADIUS servers into profile server group?

It's not obvious but by default DynAuth servers are not added to SSID profile when you create it.

Best, Gorazd

Thank you Herman. I have already checked all these settings like VSA, Port and IPs, everything seems to be fine. I will open a TAC as suggested.

In that case, please double-check the Vendor Name as configured in the Network Devices:

It's Aruba for APs/Controllers/Gateways/CX; it's Hewlett Packard Enterprise for AOS-S.  Also make sure Dynamic Authorization is enabled, and the actual source IP and the NAS-IP (if different) are both configured as a Network Device. If that doesn't help, maybe opening a TAC case to find the root cause is best.

Hello Herman
Thanks for your post. My test client has an active wifi session, and I can see the accounting data. 
For the interim update on ClearPass, I only found this setting, which is set true.

Unfortunately, the "Radius -Dynamic-Authorization" field in Access Tracker is still grayed out. Any other ideas?
If I view the same session in the guest portal under active session, it shows me the following:




(I am currently using CPPM 6.11.11. It was still working a few months ago with an older version. I can't say whether it's since the last update or not.)

Original Message:
Sent: Jun 16, 2025 09:47 AM
From: Herman Robers
Subject: CoA is not working/available in Wifi

There needs to be an active session for that client. I make sure accounting is working and if possible also interim accounting (enable processing of interim accounting in ClearPass as well).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jun 13, 2025 06:39 AM
From: Richard Schmidli
Subject: CoA is not working/available in Wifi

Hi all

I am using dynamic authorization in lan and it works fine. In Wifi (controller based) it does not work. Wifi clients have the field for CoA grayed out.
What are the requirements that this field is not grayed out and the dropdown with the different "bounces" is available for selection?

Thanks for help

Hello Gorazd, thanks for your input. Yes, i have configured two radius servers as " rfc3576 servers" and assigned them to the SSID in the AAA profile. that looks good too.

Did you enable RFC 3576 in AAA profile and add RADIUS servers into profile server group?

It's not obvious but by default DynAuth servers are not added to SSID profile when you create it.

Best, Gorazd

Thank you Herman. I have already checked all these settings like VSA, Port and IPs, everything seems to be fine. I will open a TAC as suggested.

In that case, please double-check the Vendor Name as configured in the Network Devices:

It's Aruba for APs/Controllers/Gateways/CX; it's Hewlett Packard Enterprise for AOS-S.  Also make sure Dynamic Authorization is enabled, and the actual source IP and the NAS-IP (if different) are both configured as a Network Device. If that doesn't help, maybe opening a TAC case to find the root cause is best.

Hello Herman
Thanks for your post. My test client has an active wifi session, and I can see the accounting data. 
For the interim update on ClearPass, I only found this setting, which is set true.

Unfortunately, the "Radius -Dynamic-Authorization" field in Access Tracker is still grayed out. Any other ideas?
If I view the same session in the guest portal under active session, it shows me the following:




(I am currently using CPPM 6.11.11. It was still working a few months ago with an older version. I can't say whether it's since the last update or not.)

Original Message:
Sent: Jun 16, 2025 09:47 AM
From: Herman Robers
Subject: CoA is not working/available in Wifi

There needs to be an active session for that client. I make sure accounting is working and if possible also interim accounting (enable processing of interim accounting in ClearPass as well).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jun 13, 2025 06:39 AM
From: Richard Schmidli
Subject: CoA is not working/available in Wifi

Hi all

I am using dynamic authorization in lan and it works fine. In Wifi (controller based) it does not work. Wifi clients have the field for CoA grayed out.
What are the requirements that this field is not grayed out and the dropdown with the different "bounces" is available for selection?

Thanks for help