Security

Greetings,

there might be a lot to consider on this kind of error like correct NAD &NAS I.P and Shared keys but already checked those multiple times and still get the same error.

the objective is to automatically change the device role from quarantine to authenticated(vice versa) upon ongaurd agent scan(healthy or unhealthy).

agent gets the correct posture but it seems the radius service don't trigger and the quarantine role retains. 

also upon checking: 
*#show ip radius source-interface

Global radius client source IP address = 0.0.0.0, vlan 0(is it right to get this I.P?)

*#show ip radius nas-ip

RADIUS client NAS IP address = 10.x.x.x( the correct I.P of CPPM)

also it seems I get no hits on 3799

#show firewall-cp internal |include 3799

 *#show firewall-cp internal | include 3799
ipv4 any 17 3799 3799 Permit 0 cpbwc-ipv4-radius-ldap
ipv6 any 17 3799 3799 Permit 0 cpbwc-ipv6-radius-ldap

i see no blocking so far on FW view.


any suggestions ? 

TIA :)

------------------------------
Harvey Ysip
------------------------------

What does the COA message in CPPM say? That should help us narrow down what could be happening.

------------------------------
Brian Dempsey
------------------------------

Original Message:
Sent: Aug 09, 2021 10:11 AM
From: John Harvey Ysip
Subject: Radius [ArubaOS Wireless - Terminate Session] failed

Greetings,

there might be a lot to consider on this kind of error like correct NAD &NAS I.P and Shared keys but already checked those multiple times and still get the same error.

the objective is to automatically change the device role from quarantine to authenticated(vice versa) upon ongaurd agent scan(healthy or unhealthy).

agent gets the correct posture but it seems the radius service don't trigger and the quarantine role retains. 

also upon checking: 
*#show ip radius source-interface

Global radius client source IP address = 0.0.0.0, vlan 0(is it right to get this I.P?)

*#show ip radius nas-ip

RADIUS client NAS IP address = 10.x.x.x( the correct I.P of CPPM)

also it seems I get no hits on 3799

#show firewall-cp internal |include 3799

 *#show firewall-cp internal | include 3799
ipv4 any 17 3799 3799 Permit 0 cpbwc-ipv4-radius-ldap
ipv6 any 17 3799 3799 Permit 0 cpbwc-ipv6-radius-ldap

i see no blocking so far on FW view.


any suggestions ? 

TIA :)

------------------------------
Harvey Ysip
------------------------------

Hi Brian,


this adds up whenever onguard agent scans.

------------------------------
Harvey Ysip
------------------------------

Original Message:
Sent: Aug 09, 2021 10:27 AM
From: Brian Dempsey
Subject: Radius [ArubaOS Wireless - Terminate Session] failed

What does the COA message in CPPM say? That should help us narrow down what could be happening.

------------------------------
Brian Dempsey

Original Message:
Sent: Aug 09, 2021 10:11 AM
From: John Harvey Ysip
Subject: Radius [ArubaOS Wireless - Terminate Session] failed

Greetings,

there might be a lot to consider on this kind of error like correct NAD &NAS I.P and Shared keys but already checked those multiple times and still get the same error.

the objective is to automatically change the device role from quarantine to authenticated(vice versa) upon ongaurd agent scan(healthy or unhealthy).

agent gets the correct posture but it seems the radius service don't trigger and the quarantine role retains. 

also upon checking: 
*#show ip radius source-interface

Global radius client source IP address = 0.0.0.0, vlan 0(is it right to get this I.P?)

*#show ip radius nas-ip

RADIUS client NAS IP address = 10.x.x.x( the correct I.P of CPPM)

also it seems I get no hits on 3799

#show firewall-cp internal |include 3799

 *#show firewall-cp internal | include 3799
ipv4 any 17 3799 3799 Permit 0 cpbwc-ipv4-radius-ldap
ipv6 any 17 3799 3799 Permit 0 cpbwc-ipv6-radius-ldap

i see no blocking so far on FW view.


any suggestions ? 

TIA :)

------------------------------
Harvey Ysip
------------------------------

Did you configure the RFC3576 server on the controller? 

aaa rfc-3576-server "10.x.x.x"

**EDIT**

Here's a better link :)

https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/Deploy/Aruba%20Controller%20Configuration/RFC_server_configure.htm?Highlight=coa

------------------------------
Craig Syme
------------------------------

Original Message:
Sent: Aug 09, 2021 10:11 AM
From: John Harvey Ysip
Subject: Radius [ArubaOS Wireless - Terminate Session] failed

Greetings,

there might be a lot to consider on this kind of error like correct NAD &NAS I.P and Shared keys but already checked those multiple times and still get the same error.

the objective is to automatically change the device role from quarantine to authenticated(vice versa) upon ongaurd agent scan(healthy or unhealthy).

agent gets the correct posture but it seems the radius service don't trigger and the quarantine role retains. 

also upon checking: 
*#show ip radius source-interface

Global radius client source IP address = 0.0.0.0, vlan 0(is it right to get this I.P?)

*#show ip radius nas-ip

RADIUS client NAS IP address = 10.x.x.x( the correct I.P of CPPM)

also it seems I get no hits on 3799

#show firewall-cp internal |include 3799

 *#show firewall-cp internal | include 3799
ipv4 any 17 3799 3799 Permit 0 cpbwc-ipv4-radius-ldap
ipv6 any 17 3799 3799 Permit 0 cpbwc-ipv6-radius-ldap

i see no blocking so far on FW view.


any suggestions ? 

TIA :)

------------------------------
Harvey Ysip
------------------------------

The NAS-IP on your controller/IAP should be the IP of the controller/IP, not the CPPM. Unsure if I just mis-read it, or if you actually configured it with th CPPM IP. The CoA will go out to what is configured in the NAS-IP. Also note that if you have a Virtual IP on the ClearPass, the CoA will go out from the VIP, and the VIP should be configured as rfc3576/CoA server.

What may help is to do a packet capture on the ClearPass (Collect Logs, enable packet capture), during that trigger a CoA and see if the CoA goes out and from/to which IPs; and if you see a reply from the controller/IAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 09, 2021 10:11 AM
From: John Harvey Ysip
Subject: Radius [ArubaOS Wireless - Terminate Session] failed

Greetings,

there might be a lot to consider on this kind of error like correct NAD &NAS I.P and Shared keys but already checked those multiple times and still get the same error.

the objective is to automatically change the device role from quarantine to authenticated(vice versa) upon ongaurd agent scan(healthy or unhealthy).

agent gets the correct posture but it seems the radius service don't trigger and the quarantine role retains. 

also upon checking: 
*#show ip radius source-interface

Global radius client source IP address = 0.0.0.0, vlan 0(is it right to get this I.P?)

*#show ip radius nas-ip

RADIUS client NAS IP address = 10.x.x.x( the correct I.P of CPPM)

also it seems I get no hits on 3799

#show firewall-cp internal |include 3799

 *#show firewall-cp internal | include 3799
ipv4 any 17 3799 3799 Permit 0 cpbwc-ipv4-radius-ldap
ipv6 any 17 3799 3799 Permit 0 cpbwc-ipv6-radius-ldap

i see no blocking so far on FW view.


any suggestions ? 

TIA :)

------------------------------
Harvey Ysip
------------------------------

Hi Herman,

yes you are correct. changed it to controller-ip(Configuration>Authentication>Advance>RADIUS Client> NAS IPV4 and worked.

thanks guys!

------------------------------
Harvey Ysip
------------------------------

Original Message:
Sent: Aug 10, 2021 07:18 AM
From: Herman Robers
Subject: Radius [ArubaOS Wireless - Terminate Session] failed

The NAS-IP on your controller/IAP should be the IP of the controller/IP, not the CPPM. Unsure if I just mis-read it, or if you actually configured it with th CPPM IP. The CoA will go out to what is configured in the NAS-IP. Also note that if you have a Virtual IP on the ClearPass, the CoA will go out from the VIP, and the VIP should be configured as rfc3576/CoA server.

What may help is to do a packet capture on the ClearPass (Collect Logs, enable packet capture), during that trigger a CoA and see if the CoA goes out and from/to which IPs; and if you see a reply from the controller/IAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 09, 2021 10:11 AM
From: John Harvey Ysip
Subject: Radius [ArubaOS Wireless - Terminate Session] failed

Greetings,

there might be a lot to consider on this kind of error like correct NAD &NAS I.P and Shared keys but already checked those multiple times and still get the same error.

the objective is to automatically change the device role from quarantine to authenticated(vice versa) upon ongaurd agent scan(healthy or unhealthy).

agent gets the correct posture but it seems the radius service don't trigger and the quarantine role retains. 

also upon checking: 
*#show ip radius source-interface

Global radius client source IP address = 0.0.0.0, vlan 0(is it right to get this I.P?)

*#show ip radius nas-ip

RADIUS client NAS IP address = 10.x.x.x( the correct I.P of CPPM)

also it seems I get no hits on 3799

#show firewall-cp internal |include 3799

 *#show firewall-cp internal | include 3799
ipv4 any 17 3799 3799 Permit 0 cpbwc-ipv4-radius-ldap
ipv6 any 17 3799 3799 Permit 0 cpbwc-ipv6-radius-ldap

i see no blocking so far on FW view.


any suggestions ? 

TIA :)

------------------------------
Harvey Ysip
------------------------------