Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
All-Decade MVP 2020

Clearpass Change Status on access tracker issue?

I have 4 controllers setup 2x Master in VRRP and 2 Locals Integrated with clearpass now the issue is I can not disconnect useres using clearpass access tracker disconnect or from active session on guest it gives error I have configured all CoA setting on both clearpass and controller and all shared secrets are right but still have this issue and when I typed show aaa rfc on controller it hits on of the servers and under bad auth tab I can see hits and on pkt droped I can see hits but on disconnect it is 0 so what is causing this.

Highlighted
MVP Expert

Re: Clearpass Change Status on access tracker issue?

What IP address do you have define in your CoA for ClearPass on the controller side ?

What IP address do you have defined in ClearPass for the controllers?

How's the controller sending that request using the VRRP ip or the controller IP address ?

Sent from Outlook Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
All-Decade MVP 2020

Re: Clearpass Change Status on access tracker issue?

What IP address do you have define in your CoA for ClearPass on the controller side ? the IP address I added in RFC  3576 on Controller is the Clearpass with Shared secret

What IP address do you have defined in ClearPass for the controllers? I added the Controller in devices and Enabled CoA

How's the controller sending that request using the VRRP ip or the controller IP address ? I dont Know buu when I ran Command  show aaa RFC statistcs on local controller where user exist it show some hits nder columen named bad

Highlighted
Moderator

Re: Clearpass Change Status on access tracker issue?

Add each controller along with the VIP to ClearPass as a network device.
Be sure each ClearPass server is configured as an RFC 3576 server on the controllers.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
All-Decade MVP 2020

Re: Clearpass Change Status on access tracker issue?

Dear Cappali that exaclty ongoing now and I'm faceing the situation and dont know why is there is any special configuration?

Highlighted
All-Decade MVP 2020

Re: Clearpass Change Status on access tracker issue?

Show aaa rfc stat command show hits come on bad auth and pkts dropped

 

CoA Issue.png

Highlighted
MVP Expert

Re: Clearpass Change Status on access tracker issue?

Like tim mentioned , you need to do the following:

 

Controller:

(MASTER-CONTROLLER) #show aaa rfc-3576-server

RFC 3576 Server List
--------------------
Name References Profile Status
---- ---------- --------------
CPPM-1
CPPM-2

CPPM-VIP

 

 

 

ClearPass:

Configuration » Network » Devices

Add Controller-1 Mgmt IP

Add Controller-2 Mgmt IP

Add Controllers-VRRP-VIP

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Aruba Employee

Re: Clearpass Change Status on access tracker issue?

Do you see any error message in the Clearpass access tracker or under the Radius CoA tab?

Highlighted

Re: Clearpass Change Status on access tracker issue?

Go to CPPM => Administration => Server Manager => Server Configuration

 

Select the server from which you are sending the COA and click "Collect Logs" at the bottom.

This will open a new window in which you have an option called : Capture network packets Duration of dump

 

You can leave it at 60sec. Tick only this option and start it, meanwhile go to the access tracker and send a COA to your device's MAC.

 

Now click finish and download the Logs. Within this archive you will find a packetdump.cap file and you need to open it with wireshark.

 

In wireshark enter the following filter : udp.port==3799

 

We are interested in the controller response, so you need to add a filter for source IP : ip.src==YourControllerIPAddress

 

Resulting in : udp.port==3799 && ip.src==YourControllerIPAddress

 

What response are you getting from the controller ? 

Wireshark COA.png

ACCX #1137, ACMP, BCNE
Satori Internetworking
https://www.netsatori.com/
Highlighted
All-Decade MVP 2020

Re: Clearpass Change Status on access tracker issue?

Dears I have done all of thi adding on controller all CPPMs and also the VIP of them on radius and RFC on Clearpass I jhave added all Controllers and the VRRP as well and I checked on Authentication Advanced tab on each controller I found that it is the IP exist is the VRRP IP and now the message error showed on access tracker is

Session-Context-Not-Found

 

s

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: