We are testing onguard persistent agent for the first time with CPPM v6.8 and an Aruba 2930 wired switch only. We have a test laptop (with the PA installed) connected to the switch. The user authenticates the first time via the 802.1x service with a posture of UNKNOWN and successfully gets moved to a quarantine vlan. Then, the agent runs the health check successfully and gets a healthy status (token) and the access tracker shows the profile with attribute [arubaOS switching - terminate session] is sent as part of the output along with the healthy token. However, the COA does not happen and the switch shows the user stays in the quarantine vlan. Also, the 802.1x service is never hit a 2nd time meaning the re-auth never happens (according to access-tracker).
Note: We have double-checked and verified:
- UDP 3799 is allowed fully both directions
- The CPPM NAD dyn-auth for this switch is enabled w port 3799
- The switch has this config:
radius-server host x.x.x.x key <key>
radius-server host x.x.x.x dyn-authorizationradius-server host x.x.x.x time-window 0radius-server tracking interval 60
aaa server-group radius "CPPM" host x.x.x.xaaa port-access gvrp-vlans
aaa authentication port-access eap-radius
...and all the needed port-access commands
- On the CPPM NAD entry, we have also tried using both 'Aruba' and 'HPE' as the vendor and get the same result (does it matter for a 2930F)?
Why is the radius COA not terminating the session / Why is the 802.1x re-auth not happening?
I'd suggest to approach this step by step.
Does a manual CoA work (Change Status) in Access Tracker?
Do you see the RADIUS CoA tab on the original authentication? Does it show a successful CoA?
If it works fine manually, do you see the RADIUS CoA tab in the original authentication after the OnGuard WEBAUTH triggered the CoA?
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.