Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass CoA Bounce with ArubaOS Switch - Unsupported Attribute

This thread has been viewed 23 times

  • 1.  Clearpass CoA Bounce with ArubaOS Switch - Unsupported Attribute

    Posted Nov 08, 2019 09:56 AM

    Hello all,

    in order to implement wired guest service, we currently try to initiate a CoA Port Bounce on a HPE Aruba 2930M Stack with WC.16.09.0004 installed. Clearpass is running in Version 6.8.3.110034 on C2000V platform.

     

    Troubleshooting done so far:

    - Both CPPM and Switch are running NTP.

    - Switchconfig was checked with this guide: http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s04.html#s_Configuring_the_switch_to_access_a_RADIUS_server

    - Switch is added as NAD with vendor Hewlett-Packard-Enterprise
    - Standard-CoA-Port 3799 is used


    Switchconfig:

    radius-server host X.12 key XXX

    radius-server host X.12 dyn-authorization
    radius-server host X.12 time-window plus-or-minus-time-window
    radius-server host X.12 time-window 0

     

    Screenshots:

    error2.pngerror3.png

    Please help, why we are receiving the folling error message when trying to send a CoA:
    Radius [ArubaOS Switching - Bounce Switch Port] failed for client 48XXXfXX. Unsupported-Attribute.

    error.png

     



  • 2.  RE: Clearpass CoA Bounce with ArubaOS Switch - Unsupported Attribute

    Posted Nov 08, 2019 10:05 AM
    Are you using a VIP in ClearPass?

    Please confirm that the time matches between CPPM and the Switch

    Sent from Mail for Windows 10


  • 3.  RE: Clearpass CoA Bounce with ArubaOS Switch - Unsupported Attribute

    Posted Nov 08, 2019 10:28 AM

    Hello Victor,

    thanks for the immediate reply :)

     

    Actually the times match, because both devices are using NTP to synchronize against our AD-Servers.

    Here some screenshots:

    error4.png

    error8.pngerror7.png



  • 4.  RE: Clearpass CoA Bounce with ArubaOS Switch - Unsupported Attribute

    Posted Nov 08, 2019 10:32 AM
    Are you a VIP in ClearPass?



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 5.  RE: Clearpass CoA Bounce with ArubaOS Switch - Unsupported Attribute
    Best Answer

    EMPLOYEE
    Posted Nov 08, 2019 12:27 PM

    This is a bug in 6.8.3. A hotfix will be released next week to address this issue. 

     

    A note was added to the download shortly after it was discovered and it is in the release notes: https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.3/Default.htm#WhatsNew/KnownThisRls.htm#known_35984

    Screen Shot 2019-11-08 at 9.25.45 AM.png



  • 6.  RE: Clearpass CoA Bounce with ArubaOS Switch - Unsupported Attribute

    Posted Nov 08, 2019 12:32 PM

    Hello Victor,

     

    No - we are not using VIP even though we have a Clearpass-Cluster. This is because we are not L2-Connected between the nodes.

    In the switch there are both CPPM-Nodes configured as radius hosts and we do the failover via the switch logic.

     

    We are currently doing some Wireshark and we can see, that CPPM is correctly sending the COA but the switch is returning the CoA-NAK:error11.png

     

    error10.PNG



  • 7.  RE: Clearpass CoA Bounce with ArubaOS Switch - Unsupported Attribute

    Posted Nov 08, 2019 01:04 PM
    Tim just indicated that there’s a bug in the version you are running

    Sent from Mail for Windows 10