Security

I have 4 controllers setup 2x Master in VRRP and 2 Locals Integrated with clearpass now the issue is I can not disconnect useres using clearpass access tracker disconnect or from active session on guest it gives error I have configured all CoA setting on both clearpass and controller and all shared secrets are right but still have this issue and when I typed show aaa rfc on controller it hits on of the servers and under bad auth tab I can see hits and on pkt droped I can see hits but on disconnect it is 0 so what is causing this.

What IP address do you have define in your CoA for ClearPass on the controller side ?

What IP address do you have defined in ClearPass for the controllers?

How's the controller sending that request using the VRRP ip or the controller IP address ?

Sent from Outlook Mobile

What IP address do you have define in your CoA for ClearPass on the controller side ? the IP address I added in RFC  3576 on Controller is the Clearpass with Shared secret

What IP address do you have defined in ClearPass for the controllers? I added the Controller in devices and Enabled CoA

How's the controller sending that request using the VRRP ip or the controller IP address ? I dont Know buu when I ran Command  show aaa RFC statistcs on local controller where user exist it show some hits nder columen named bad

Add each controller along with the VIP to ClearPass as a network device.
Be sure each ClearPass server is configured as an RFC 3576 server on the controllers.

Dear Cappali that exaclty ongoing now and I'm faceing the situation and dont know why is there is any special configuration?

Show aaa rfc stat command show hits come on bad auth and pkts dropped

 

Like tim mentioned , you need to do the following:

 

Controller:

(MASTER-CONTROLLER) #show aaa rfc-3576-server

RFC 3576 Server List
--------------------
Name References Profile Status
---- ---------- --------------
CPPM-1
CPPM-2

CPPM-VIP

 

 

 

ClearPass:

Configuration » Network » Devices

Add Controller-1 Mgmt IP

Add Controller-2 Mgmt IP

Add Controllers-VRRP-VIP

Do you see any error message in the Clearpass access tracker or under the Radius CoA tab?

Go to CPPM => Administration => Server Manager => Server Configuration

 

Select the server from which you are sending the COA and click "Collect Logs" at the bottom.

This will open a new window in which you have an option called : Capture network packets Duration of dump

 

You can leave it at 60sec. Tick only this option and start it, meanwhile go to the access tracker and send a COA to your device's MAC.

 

Now click finish and download the Logs. Within this archive you will find a packetdump.cap file and you need to open it with wireshark.

 

In wireshark enter the following filter : udp.port==3799

 

We are interested in the controller response, so you need to add a filter for source IP : ip.src==YourControllerIPAddress

 

Resulting in : udp.port==3799 && ip.src==YourControllerIPAddress

 

What response are you getting from the controller ? 

Dears I have done all of thi adding on controller all CPPMs and also the VIP of them on radius and RFC on Clearpass I jhave added all Controllers and the VRRP as well and I checked on Authentication Advanced tab on each controller I found that it is the IP exist is the VRRP IP and now the message error showed on access tracker is

Session-Context-Not-Found

 

s

For testing, you may remove the NAS IP(i.e VRRP) address in the Authentication --> Advanced tab in the controller. Terminate a client on that controller and try to disconnect from ClearPass access tracker. 

 

ClearPass attempts to send CoA to Radius NAS-IP address in the Radius-Input attributes in access tracker and if it is a VRRP, then controller may return 'Session context not found' for a CoA Request.

 

 

 

 

What COA are you sending ? [Aruba terminate Session] ? Have you added any attributes to the enf profile or is it default ?

Dears,

 

I have did that changeing the IP address of the NAS from the VRRP Ip to the same controller IP and this got me to another error on access tracker ,and yes Im using aruba terminatiion session.