Security

Hello,

 

I have a problem with the clearpass when I send a Radius Coa to the switch. It always gives me the same error: 

0000:00:25:52.77 RAD tRadiusR:DISCONNECT REQUEST id: 7 from 10.253.27.12
DROPPED, Invalid packet authenticator.

I have no problem in the validation user through 802.1x. It works well and in Clearpass validates, however when I send an RCoa the switch does not respond and makes a drop of the package.

This is what I have configured in the switch:

 

radius-server host 10.253.27.12 encrypted-key "encripted_key"
radius-server host 10.253.27.12 dyn-authorization
radius-server host 10.253.27.12 time-window 0

 

SW(config)# sh radius

Status and Counters - General RADIUS Information

Deadtime (minutes) : 0
Timeout (seconds) : 5
Retransmit Attempts : 3
Global Encryption Key :

Dynamic Authorization UDP Port : 3799
Source IP Selection : 192.168.116.13
Source IPv6 Selection : Outgoing Interface
Tracking : Disabled

Auth Acct DM/ Time |
Server IP Addr Port Port CoA Window |
--------------- ----- ----- --- ------ +

Encryption Key
-----------------------------------------------------------------------------------------
10.253.27.12 1812 1813 Yes 0 | encripted_key

                                    Disc      Disc    Disc    CoA     CoA   CoA
IP Address                 Reqs   ACKs  NAKs   Reqs   ACKs   NAKs
---------------                 -------- --------  --------   --------  --------  --------
10.253.27.12                 12      0          0       3            0            0

Can you help me?

 

TY

check whether below setting configured properly

• RFC server IP configuration and shared secret
• Port 3799 is allowed
• What type of Radius CoA template you are using?

Hi,

 

• RFC server IP configuration and shared secret --> Yes, i can do 802.1x.
• Port 3799 is allowed--> Yes, i receive in switch radius coa
• What type of Radius CoA template you are using? --> [ArubaOS - Terminate Session]
• Another one--> Same NTP Server

I try with differents templates for Radius_Coa and ever i receive same error --> Invalid Packet Authenticator.

Looks like you want a Disconnect, not a CoA. Use the [ArubaOS Switching – Terminate Session] profile.

I want a radius coa, i use [ArubaOS switching - Terminate sesion] but i can use other, only want radius coa work fine.

 

I try a diferents templates but none works 

If you’re trying to Disconnect the user, it’s a Disconnect, not a CoA. [ArubaOS Switching - Terminate Session] is the correct enforcement profile.

Nice, i change profile, now i send Coa but i ve same error: invalid packet authenticator.

 

 

.