Security

Hi, I have an  issue with ClearPass and aruba 2930f switch RADIUS CoA

When I try to bounce or terminate 802.1X session on switch from ClearPass I receive these errors

 

 

 

Aruba 2930f  configuration

radius-server host 192.168.77.87 key "Asdf12345"
radius-server host 192.168.77.87 dyn-authorization
radius-server host 192.168.77.87 time-window plus-or-minus-time-window
radius-server host 192.168.77.87 time-window 10000
no telnet-server
ip default-gateway 192.168.77.253
ip source-interface radius vlan 177
ip client-tracker trusted

 

aaa server-group radius "DEMO" host 192.168.77.87
aaa accounting update periodic 3
aaa accounting network start-stop radius server-group "DEMO"

 

aaa authentication port-access eap-radius server-group "DEMO"
aaa authentication mac-based chap-radius server-group "DEMO"
aaa port-access authenticator 2
aaa port-access authenticator active
aaa port-access mac-based 1

 

 

 

Dynamic authorization LOG

 

Aruba-2930F-8G-PoEP-2SFPP(config)# show radius host 192.168.77.87 dyn-authori
zation

Status and Counters - RADIUS Dynamic Authorization Information

Authorization Client IP Address : 192.168.77.87
Unknown PKT Types Received : 0

Disc-Reqs : 0 CoA-Reqs : 3
Disc-Reqs Authorize Only : 0 CoA-Reqs Authorize Only : 0
Disc-ACKs : 0 CoA-ACKs : 0
Disc-NAKs : 0 CoA-NAKs : 0
Disc-NAKs Authorize Only : 0 CoA-NAKs Authorize Only : 0
Disc-NAKs No Ses. Found : 0 CoA-NAKs No Ses. Found : 0
Disc-Reqs Ses. Removed : 0 CoA-Reqs Ses. Changed : 0
Disc-Reqs Malformed : 0 CoA-Reqs Malformed : 0
Disc-Reqs Bad Authentic. : 0 CoA-Reqs Bad Authentic. : 0
Disc-Reqs Dropped : 0 CoA-Reqs Dropped : 3

 

 

Aruba-2930F-8G-PoEP-2SFPP(config)# show version

Image stamp:
/ws/swbuildm/rel_yakima_qaoff/code/build/lvm(swbuildm_rel_yakima_qaoff_rel_yaki
ma)
Nov 21 2018 05:11:34
WC.16.08.0001
157
Boot Image: Primary

Boot ROM Version: WC.16.01.0004
Active Boot ROM: Primary

 

 

 

 

 

 

Aruba-2930F-8G-PoEP-2SFPP(config)# show port-access clients 2 detailed

Port Access Client Status Detail

Client Base Details :
Port : 2 Authentication Type : 802.1x
Client Status : authenticated Session Time : 857 seconds
Client name : host/PC1.DOMAIN1.LT Session Timeout : 0 seconds
MAC Address : d4bed9-6dce74
IP : 192.168.77.230

Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : 177 Out Limit Kbps : Not Set
Tagged VLANs : No Tagged VLANs
Port Mode : 100FDx
RADIUS ACL List : No Radius ACL List
Auth Order : Not Set
Auth Priority : Not Set
LMA Fallback : D

 

 

 

 

 

 

Aruba-2930F-8G-PoEP-2SFPP(config)# show radius

Status and Counters - General RADIUS Information

Dead RADIUS server are preceded by *

Deadtime (minutes) : 0
Timeout (seconds) : 5
Retransmit Attempts : 3
Global Encryption Key :
Dynamic Authorization UDP Port : 3799
Source IP Selection : 192.168.77.96
Source IPv6 Selection : Outgoing Interface
Tracking : Disabled
Request Packet Count : 3
Track Dead Servers Only : Disabled
Tracking Period (seconds) : 300
CPPM Identity :

Auth Acct DM/ Time |
Server IP Addr Port Port CoA Window | Encryption Key OOBM
--------------- ----- ----- --- ------ + ----------------------------------------------------------------------------------------- ----
192.168.77.87 1812 1813 Yes 10000 | Asdf12345 No

 

Hello Audrius,

 

Where you still be able to solve the issue described in this thread?

It seems I'm having the same issue.

Did you upgrade to the last version and run all patches? There was a bug but this is fixed with the latest patch.

Tx, Yes I did already install the CoA patch (and latest updates)

I found out it is a time issue. Therefore the switch drops all CoA and Disconnects. The time between CPPM server and switch is the same. But nevertheless there seems to be a time gap (time zone is correct)

When disabling the radius time-window it's working fine.

 

    radius-server host <RADIUS-IP> time-window 0

 

I'll do some additional testing by changing the time window in the near future. But as of now I'm happy it is solved.