Security

Guys there have been plenty of posts about this - I got issues where I cannot make a CoA from CPPM to a controller - just to disconnect.

 

This is for guest at present and using MAC auth.

 

I have:

 

• Made sure my RFC 3576 Servers are defined with the correct PSKs
• Associated my RFC 3576 Servers with the right AAA profile
• Tried to make sure the RADIUS client (aruba MC) is calling in on the right IP Addresses (reference NAS IP addresses)
• Checked with a AAA debug - just to make sure that my AAA server configrution is correct
• Made sure routing is OK between devices
• Checked the MAC addresses are correct on CPPM and controller
• Clicked on a record under access tracker, then Radius CoA, then change status then [Aruba Terminate Session]
• Even copied the [Aruba Terminate Session] enforcement profile and modified the copy

I cannot understand what is failing here.  If the packet contents need to contain the mac address, the radius PSK is correct (as far as I can tell as I do not know debug for this), the routing also good, surely everything is in place to relay the relvant data between the devices for it to act on this disconnect?

 

Messages:

 

"Failed to contact Access Control Service"

 

At a loss.... any help greatfully recieved... faliing that, it'll be a TAC.

 

Thanks in advance everyone.

oh yeah - no firewalls or ACLs in between either :smileyfrustrated:

Couple things

 

1. Check the application log in CPGuest side to see if there are any errors.

2. Ive seen issues if you dont have add ip in the redirect.

 

Excellent..I was have a same problem..With "add switch ip in the url" option solves everything !!

sorry for bumping this thread back alive.

i'm having same problem you guys explained in this thread but my CoA still not working with error exactly the same with Nik.

i would advise you to start your own thread. even though your error is the same your setup probably isn't.

 

so new thread, explain your full setup: controller(s), clearpass, services and what exactly you try.

Maybe a packet-capture on the controller might shed some light on this issue:

 

Via CLI, not in configure mode:

 

packet-capture controlpath udp 3799
packet-capture destination local-filesystem

 

You can get the PCAP if you pull a logs.tar from the controller.

OK, so I did not have the "Add switch IP address in the redirection URL" - so that is ticked - I see the logic there, and I should have had that on, I have a multicontroller environment,

 

However no difference is seen. same error on CPPM "failed to connect to ACS device"

 

On the other hand I did take a pcap - useful tip there arjan thanks - and I do see the CoA packet come in  - 6 in fact and 2 reporting to be duplicates.  Presumaly "3 tries and your out" kind of attempts.  I see the right MAC address in the packet too - but is is represented in upper case with no delimeters between octects in the mac address.

 

I did see the CoA call in with a datapath session table command before, but not to this detail - it is reassuring the mac is right in the packet payload as well the source and destination.

 

Thank you both for your help - is there any way to determine - out of sheer paranoia that the psks in the rfc3576 is ok? 

 

I can't help thinking I have misssed something basic here.  I have used amigopod before but never had this problem.

sorry should say "failed to contact access control service"

You can see the PSK's via the CLI:

encrypt disable

show aaa rfc-3576-server 1.1.1.1

 

 

Do you have any firewall policies active on the controller that might block outgoing traffic from the controller? Either on the physical interface or using the "firewall-cp"-feature (added in ArubaOS 6.3)

Do you have RADIUS CoA ticked in NAD configuration in ClearPass?

 

Hi tim,

 

 

yes, that's ticked - I found when it was not ticked I found the CoA radio button was greyed out 

 

but yes thats all there thanks.

 

really appreaciate all this help chaps

Can you please check the following ?

Show IP radius source interface
Show IP radius nas IP

What do you have set for your controller ip ? Loopback , VLAN or vrrp IP ?

(ldnwcmc1) #Show IP radius source-interface

Global radius client source IP address = 172.29.234.6, vlan 200
Global radius client source IPv6 address = ::, vlan 0
Per-server client source IPv4/6 addresses:

(ldnwcmc1) #Show IP radius nas-ip

RADIUS client NAS IP address = 172.29.234.5
RADIUS client NAS IPv6 address = ::1

(ldnwcmc1) #

 

Make sure that both of those values match and also that you have the same value on your CPPM server

Thanks victor,

 

I have changed these values now they match

 

I am opening a TAC.

 

Thanks

Arjan - yes of course - I decrypted the psks but they do seem to be in good order and correct

 

I do not have FW policies applied - all interfaces are trusted and I did look at the - i guess- control plane FW policy

 

When I grep it for 3799 I see acl hits on a permit for udp (I truncated the output below) - not sure if relevant?

 

ldnwcmc1) #show firewall-cp internal

CP firewall policies
--------------------
IP Version  Source IP  Source Mask  Protocol  Start Port  End Port  Permit/Deny  hits  contract
----------  ---------  -----------  --------  ----------  --------  -----------  ----  --------
ipv4        any                     17        3799        3799      Permit       116
ipv6        any                     17        3799        3799      Permit       0

 

Checked the app logs on CPGuest

 

They make reference to what looks like the same error, but represented in a php call into CPPM using the same default enforcement profile as I am using in CPPM:

 

disconnecting the session 

Client:    10.11.160.56:64790
App User:  sheridannet
Script:    /guest/guest_sessions.php
Function:  NwaGuestManager_GuestSessions_Disconnect
Arguments: array (
  'error' => 1,
  'message' => '{"content": {"cnc_actions": [{"status_message": "Radius [Aruba Terminate Session] failed for client 406f2a3738d5", "id": 1}]}, "id": "R000001fa-04-52f92f9d", "name": "cnc_response"}',
)

 

Hi sorry I am on an awkward time zone. I am using avrrp address and will provide output from the command tomorrow uk time.

Thanks again all

I have made a grave mistake here and as a punishment I will post a diagram of my configuration with all the great feedback I got from all you good folks!!!!!

We are now working!!!!

Hi Nok,

 

Could  you please post what you did to make thingsh happy?

 

Mike

sorry, I meant "Nik" !!

 

Mike

After all that digging about I had changed the IP address of the rfc3576 servers several times in deployment and I had entered the wrong IP addresses under the rfc3576 servers. I got totally lost in details. Yes I am an idiot. I will post up a diag too as promised. I was hoping no one would press me for an answer. ;). As soon as I got someone else to look at it with a fresh pair of eyes they spotted it immediately. I laughed as there was little else I could do. ;) well I suppose I could have cried also?

I would also say that the matter if source IP addresses in radius was especially relevant as the source IP address as explained above is unique to the controller even when in a master local deployment like mine - and this was also key in getting this problem straightened out.