Security

Reply
Contributor I

Clearpass CoA Bounce with ArubaOS Switch - Unsupported Attribute

Hello all,

in order to implement wired guest service, we currently try to initiate a CoA Port Bounce on a HPE Aruba 2930M Stack with WC.16.09.0004 installed. Clearpass is running in Version 6.8.3.110034 on C2000V platform.

 

Troubleshooting done so far:

- Both CPPM and Switch are running NTP.

- Switchconfig was checked with this guide: http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s04.html#s_Configuring_the_switch_to_access_a_RADIUS_server

- Switch is added as NAD with vendor Hewlett-Packard-Enterprise
- Standard-CoA-Port 3799 is used


Switchconfig:

radius-server host X.12 key XXX

radius-server host X.12 dyn-authorization
radius-server host X.12 time-window plus-or-minus-time-window
radius-server host X.12 time-window 0

 

Screenshots:

error2.pngerror3.png

Please help, why we are receiving the folling error message when trying to send a CoA:
Radius [ArubaOS Switching - Bounce Switch Port] failed for client 48XXXfXX. Unsupported-Attribute.

error.png

 

MVP Guru

Re: Clearpass CoA Bounce with ArubaOS Switch

Are you using a VIP in ClearPass?

Please confirm that the time matches between CPPM and the Switch

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I

Re: Clearpass CoA Bounce with ArubaOS Switch

Hello Victor,

thanks for the immediate reply :)

 

Actually the times match, because both devices are using NTP to synchronize against our AD-Servers.

Here some screenshots:

error4.png

error8.pngerror7.png

MVP Guru

Re: Clearpass CoA Bounce with ArubaOS Switch

Are you a VIP in ClearPass?



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: Clearpass CoA Bounce with ArubaOS Switch

This is a bug in 6.8.3. A hotfix will be released next week to address this issue. 

 

A note was added to the download shortly after it was discovered and it is in the release notes: https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.3/Default.htm#WhatsNew/KnownThisRls.htm#known_35984

Screen Shot 2019-11-08 at 9.25.45 AM.png


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Clearpass CoA Bounce with ArubaOS Switch

Hello Victor,

 

No - we are not using VIP even though we have a Clearpass-Cluster. This is because we are not L2-Connected between the nodes.

In the switch there are both CPPM-Nodes configured as radius hosts and we do the failover via the switch logic.

 

We are currently doing some Wireshark and we can see, that CPPM is correctly sending the COA but the switch is returning the CoA-NAK:error11.png

 

error10.PNG

MVP Guru

Re: Clearpass CoA Bounce with ArubaOS Switch

Tim just indicated that there’s a bug in the version you are running

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: