Security

Yes, it will send de-auth radius packet. I have attached CPPM and Aruba wireless integration guide, which proivde basic guest regestration configuration.

Regards

Pavan

If my post address your query, give kudos:)

update your enforcement policy with Radius CoA disconnect when the the account expires.

 Aruba Wireless ACMP/ ClearPass ACCP Professional

Give Kudo give helpful

Hello

    what's the meaning of de-auth radius packet.

Is that the packet in RFC3576 , Disconnect Message ?

2.1. Disconnect Messages (DM)

A Disconnect-Request packet is sent by the RADIUS server in order to
terminate a user session on a NAS and discard all associated session
context. The Disconnect-Request packet is sent to UDP port 3799, and
identifies the NAS as well as the user session to be terminated by
inclusion of the identification attributes described in Section 3.

Chiba, et al. Informational [Page 5]
RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003

+----------+ Disconnect-Request +----------+
| | <-------------------- | |
| NAS | | RADIUS |
| | Disconnect-Response | Server |
| | ---------------------> | |
+----------+ +----------+

Ciao,

who can explain why I need to enable insight in clearpass in order to make works CoA?

Thanks

Insight is not required for RADIUS Dynamic Authorization.

Hi,

"update your enforcement policy with Radius CoA disconnect when the the account expires."

how would you do that?

Use the Guest template (Configuration >> Start Here) to create a guest service.

This will generate the necessary enforcements and you are in need of the enforcement named "xxxxx Guest Do Expire", this enforcement will take care of sending radius disconnect message to the NAS when it is applied during guest user authentication.

Note: The above enforcement takes guest expiration action based on the do_expire value associated to the guest account.

You need to navigate to ClearPass Guest >> Configuration >> Guest Manager >> Expire Action and set it to either "Delete and logout at specified time" or "Disable and logout at specified time".

The above config is global, you can modify this value in individual forms using the filed name "do_expire".

hello, 

I have a similar issue, I'm providing guest access with self-registration for a large number of users, 

results under "manage account" are different, sometimes the guest user get deleted and CoA sent to the controller once expired, in parallel, you may find another guest user remain with the expired status in Guest DB and no action triggered (delete + CoA)

any idea?