What I read from it is that if the controller sends Message-Authenticators, that ClearPass will verify those. Can't read from it what that means about ClearPass including Message-Authenticators in the CoA Request.
From the RFC-5176:
The Message-Authenticator Attribute MAY be used to authenticate and
integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request,
Disconnect-ACK, and Disconnect-NAK packets in order to prevent
spoofing.
.. suggests that sending a Message-Authenticator is optional. I'm not sure if it is.
Some network devices also require the RADIUS Secret for CoA to be set separately from the RADIUS Secret used for authentication. Please check that there is a match for CoA, although 'doesn't include' suggests that your AP requires the Message-Authenticator but doesn't see it. That behaviour may be configurable as well. I don't know these APs, so can't really help with that.
If CoA support has been added to XIQ APs, and ClearPass is unaware of it, please reach out to Aruba Support to get that fixed in the RADIUS Dictionaries. Changing to another vendor is not a good idea in most cases.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 04, 2022 03:34 AM
From: James Andrewartha
Subject: CoA message doesn't include Message-Authenticator
I'm trying to get CoA working with XIQ (Aerohive) APs. First up I had to change the device type to Extreme, since Clearpass doesn't think Aerohive devices can do CoA. But now the AP is rejecting the CoA because it doesn't include a Message-Authenticator value. What determines if ClearPass includes Message-Authenticator in CoA packets? It doesn't include it in the RADIUS Access-Accept packet unless I set the device type to Aruba (but then no CoA is sent on WEBAUTH).
I found Policy ManagerArubanetworks | remove preview |
| Policy Manager | ClearPass 6.8 now indicates errors during the make-subscriber action if the certificate chain used is not present on both systems for the HTTPS and database certificates, or if an IP address is not included in the database certificate's subject or (SAN) field. | View this on Arubanetworks > |
|
|
which mentions a bit about Message-Authenticator being verified for RFC 5176-compliant controllers, so I guess the question is what vendor types are marked as RFC 5176-compliant?