Security

Hi all. I am wondering if someone can help me with a role override issue I am having with a Guest Self-Registration. I have a role override set on the self-registration configuration but it is not triggering a CoA to change the user's role on the controller. I have a CoA enforcement profile in my guest login policy (below) with the name exactly matching my role that I selected on the guest side in brackets. 

As I understand, these are the requirments for changing authorization once the account is approved. The problem is that I am not seeing any CoA sent from CPPM in Access Tracker so of course the role for the guest user is not changing. When I look in the Guest Application Log, I see the account approved and the role changed but nothing about a CoA from there either, which I would expect to see some sort of notification that the Guest module at least tried to initiate a CoA. Has anyone gotten this to function the way they want to? If so, can you see what I am missing? I am happy to include more screen shots if necessary. 

Do you have an Aruba Change-User-Role enforcement profile built for that role?

Hi Tim. Yes, I do. Please see screen shot below. And you can see in the previous screenshot where this is being applied in the Enforcement Policy. I also have a user role on my controller called Registered-Guest. I would think that I should be able to see something in the Application Log on the Guest side when the account is approved that the CoA is triggered but I am not finding anything helpful there. 

Can you remove the brackets and try again?

Same result. The ClearPass Guest user guide does specifically say to put the role that is referenced on the guest side in brackets in the enforcement profile name. 

Hm ok. Best to open a TAC case then.

That may be my next step but I was hoping to avoid it if possible. Does anyone have an example of a validated config where this is working as expected?

I will try upgrading firmware to see if that helps (currently running 6.6.0). Is there anything that I should be seeing in the Guest Application Log?

Hi Ted,

Have you enabled Radius COA in Configuration » Network » Devices > <click of NAS device> page and also have you configure Radius COA on controllers as well?

Regards,

Pavan

If my post addresses your query give kudos:)

Yes, and I can manually trigger a CoA from Access Tracker after the user connects.

Hi,

Try once adding Frame IP in CoA service attributes and check the status.

Radius:IEFT  Framed-IP-Address  = %{Connection:Client-IP-Address}

Are you using Radius Enforcment Generic service for CoA?

Regards,

Pavan

I was using a WEBAUTH service but have created a Generic RADIUS service with the condition that you mentioned. I am still not seeing any requests hit either service.

Hi,

Add Frame IP along with other attributes which you already configured in service, if it still not triggering CoA , please open TAC ticket, need to anlayze logs.

Regards,

Pavan

After hours of messing around with different fields and variations of this config in my lab, I found that the piece that I was missing was simply to enable RADIUS accounting for the AAA profile as well as enable logging for interim-update packets in RADIUS server service parameters in ClearPass. Since this is not mentioned in the user guide as necessary configuration, I hadn't even thought of it, but it does make sense that it would be a requirement. Hope this helps someone in the future.