Hello guys,I have configured Dell switch N2024 with 802.1X, Authc, authz, accounting and dyn-author, in ClearPass side I add this switch as IETF device and create a profile named Dell CoA using IETF CoA default from system.The authentication it's occurred perfectly, but when I will in change status via access tracker I unable send someone CoA actions, I remove configuration from switch e reinsert, but doesn't work.The firmware that using is 18.104.22.168.Any ideias?Thank you.
i think your clearpass configuration is fine. In the past i had lots of issues with Dell switches and most of them caused by the switch firmware.
I will to check if has other firmware version.
I let you know.
I update the switch to newest version and the behavior it's same.
In packet capture I can see that switch send many attributes, User-Name, Calling-Station-Id, NAS-Port, NAS-IP, You know if CPPM need to receveid some special attribute ?
i suggest to do a pcap on the switch to see if the CoA packets that clearpass sends, are received.
When I will to do COA via access tracker I can't do.
Radiu Dyn is grayed out as image below:
are you referencing a CoA type of enforcement profile? if so please paste the screen shot.
I added this switch as IETF vendor and created coa profiles using IETf standard from templates below:
sure so what is the enforcement profile that you use? is it this? if not try using it.
Yes, I used this profile but doesn't work, so I tryed to use the other profile bur the behavior it's equal.
Do you have accounting enabled on your switch?
Do you have Insight & Log interrim accounting packets enabled on ClearPass?
If not, do so and try again. If RADIUS Dynamic Authorization is greyed out in Access Tracker, most likely there is no active session known.
Acct is enabled in switch and ClearPass.
See the Radius configuration below.
I opened a tac for to investigate.
Hello Herman, thanks a lot.One Clearpass member was be with acct disabled, after enabled acct the Radius COA of profile inside service works.
But when I will to do COA manually via change status RADIUS Dyn-Autho continue greyed out.Any idea?
CoA is only available as an option for an (the most recent) active session. So if an automatic CoA has been sent, which triggered a new authentication, only the active session (with accounting data coming in) will have the option to do CoA. Sometimes when you are testing and have many entries in Access Tracker, it may be hard to see which is the last/active session. In general if an automatic CoA works (via Profiling tab), it should also work from Access Tracker (Change Status).
I found out what was going on,1- The CPPM that receives authentication from the Dell switch had log interim acct disabled, after enabling the automatic COA that is inside the profiling in service tab it started to work.
The manual termination session via access tracker-->change status did not work because this CPPM is in another zone (ZoneB) and I was trying to send the manual COA through the publisher which is in the default zone. when I log in to zoneB's CPPM I can manually send coa through the access tracker-->change status.
Things I didn't know, are learning.
Many thanks to everyone who took the time to help me with the case.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.