Do you see the 'RADIUS Dynamic Authorization' tab showing up in Access Tracker for clients that you expect to be CoA-ed?
It's important to understand if the CoA does not trigger, or if it doesn't work. If manual works, the chances are better that the CoA does not even trigger, in which case going through the logs (Collect Logs) then the events you are looking for are (probably, couldn't check) in the logfile postauthctrl.log. Aruba Support can assist in this as well as reading these logfiles are not something most customers/parters are used to.
'
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 04, 2022 07:29 PM
From: Scott Doorey
Subject: Post-Authentication Session-Check in MAC auth workflow
Hi Colin,
Yes COA is enabled and working manually from access tracker.
Scott
Original Message:
Sent: 8/4/2022 7:25:00 PM
From: cjoseph
Subject: RE: Post-Authentication Session-Check in MAC auth workflow
Do you have radius interim accounting also enabled on the NAS?
EDIT: Do you also have COA configured?
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Aug 04, 2022 06:51 PM
From: Scott Doorey
Subject: Post-Authentication Session-Check in MAC auth workflow
Hey Airheads,
I'm trying to build up a PoC whic requires Guest + MAC auth but with a limitation on concurrent sessions.
Understanding you can perform unique device checks during the registration / MAC caching process to prevent the devices from being enrolled, i have a scenario where i'm using Azure AD logins for a BYOD workflow. This means we can't do the usual pre-auth application enforcement in ClearPass to check the unique device count in the endpoint repo.
So what i'm trying to do is deliver a solution where users can auth as many devices though Azure but they can only have 2-3 connected concurrently.
My idea was to use the post authentication session-check enforcement to identify excess concurrent sessions and disconnect those in excess of the limit.
Despite my best efforts i can't seem to get CPPPM to take any action when too many devices are connected under one account.
Has anybody got this working? I'm playing in 6.10.5 version.
Radius accounting is enabled and can see the device records