View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CoA message doesn't include Message-Authenticator

This thread has been viewed 38 times
  • 1.  CoA message doesn't include Message-Authenticator

    Posted Aug 04, 2022 03:35 AM
    I'm trying to get CoA working with XIQ (Aerohive) APs. First up I had to change the device type to Extreme, since Clearpass doesn't think Aerohive devices can do CoA. But now the AP is rejecting the CoA because it doesn't include a Message-Authenticator value. What determines if ClearPass includes Message-Authenticator in CoA packets? It doesn't include it in the RADIUS Access-Accept packet unless I set the device type to Aruba (but then no CoA is sent on WEBAUTH).

    I found Policy Manager
    Arubanetworks remove preview
    Policy Manager
    ClearPass 6.8 now indicates errors during the make-subscriber action if the certificate chain used is not present on both systems for the HTTPS and database certificates, or if an IP address is not included in the database certificate's subject or (SAN) field.
    View this on Arubanetworks >
    which mentions a bit about Message-Authenticator being verified for RFC 5176-compliant controllers, so I guess the question is what vendor types are marked as RFC 5176-compliant?

  • 2.  RE: CoA message doesn't include Message-Authenticator

    Posted Aug 09, 2022 06:17 AM
    What I read from it is that if the controller sends Message-Authenticators, that ClearPass will verify those. Can't read from it what that means about ClearPass including Message-Authenticators in the CoA Request.

    From the RFC-5176:
       The Message-Authenticator Attribute MAY be used to authenticate and
       integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request,
       Disconnect-ACK, and Disconnect-NAK packets in order to prevent

    .. suggests that sending a Message-Authenticator is optional. I'm not sure if it is.

    Some network devices also require the RADIUS Secret for CoA to be set separately from the RADIUS Secret used for authentication. Please check that there is a match for CoA, although 'doesn't include' suggests that your AP requires the Message-Authenticator but doesn't see it. That behaviour may be configurable as well. I don't know these APs, so can't really help with that.

    If CoA support has been added to XIQ APs, and ClearPass is unaware of it, please reach out to Aruba Support to get that fixed in the RADIUS Dictionaries. Changing to another vendor is not a good idea in most cases.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 3.  RE: CoA message doesn't include Message-Authenticator

    Posted Aug 23, 2022 12:31 AM
    I opened a case with TAC, and they said you can add Message-Authenticator with a fake value and then the ClearPass engine will populate it with the correctly calculated value (confirmed by pcap). And now it's working.

  • 4.  RE: CoA message doesn't include Message-Authenticator

    Posted Aug 23, 2022 12:45 AM
    I forgot that to make it work for Extreme I'd added a CoA template to Administration » Dictionaries » RADIUS Dynamic Authorization Templates, which would probably be another way instead of adding it in the profiles themselves.

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?><TipsContents xmlns="">  <TipsHeader exportTime="Fri Sep 17 15:37:19 AWST 2021" version="6.10"/>
        <RadiusCOATemplate vendorId="1916" templateType="CoA" displayName="Extreme Wireless - Change-Login" name="ExtremeWireless-Change-Login">
            <Attribute inputRequired="Not_Required" value="%{Application:User-Name}" name="User-Name" type="Radius:IETF"/>
            <Attribute inputRequired="Not_Required" value="%{Radius:IETF:Calling-Station-Id}" name="Calling-Station-Id" type="Radius:IETF"/>
            <Attribute inputRequired="Required" value="%{Radius:IETF:NAS-IP-Address}" name="NAS-IP-Address" type="Radius:IETF"/>
            <Attribute inputRequired="Required" value="%{Radius:IETF:Login-LAT-Port}" name="Login-LAT-Port" type="Radius:IETF"/>
            <Attribute inputRequired="Required" value="%{Radius:IETF:Event-Timestamp}" name="Event-Timestamp" type="Radius:IETF"/>
          </AttributeList>    </RadiusCOATemplate>    <RadiusCOATemplate vendorId="1916" templateType="Disconnect" displayName="Extreme Wireless - Terminate Session" name="ExtremeWireless-Terminate-Session">
            <Attribute inputRequired="Required" value="%{Radius:IETF:Calling-Station-Id}" name="Calling-Station-Id" type="Radius:IETF"/>
            <Attribute inputRequired="Not_Required" value="%{Radius:IETF:Acct-Session-Id}" name="Acct-Session-Id" type="Radius:IETF"/>
            <Attribute inputRequired="Required" value="%{Radius:IETF:Event-Timestamp}" name="Event-Timestamp" type="Radius:IETF"/>

  • 5.  RE: CoA message doesn't include Message-Authenticator

    Posted Aug 15, 2022 01:49 PM
    Hey, I personally don't think that it's an indispensable thing, is it?