Security

need help!!

Setup : Clearpass + Cisco 2960 switch. Captive portal based authentication for LAN users connected to cisco switch.

Problem : After guest user got expired, clearpass is not triggering CoA action (when checked in access tracker tab, there is no CoA). But, when manually triggering CoA(Cisco Terminate session), CoA is working and client getting disconnected.

More details : Using Wired Enforcement Policy document, I created service with 'Allow all mac auth' + 'web auth' for guest based solution for LAN users. user allowed initially with mac auth and given redirect url followed by web auth service to validate guest credentials and update Endpoint with username and role. Detailed screenshots attached.

checklist :

• Insight, accounting interm packets -> enabled
• radius CoA enabled in device page
• Expire post login, do expire policies added
• Authorization in service -> all databases added
• Guest>configuration>authentication settings>Selected NAS type as "Cisco systems(RFC 3576)"

Please suggest any Tips:)

Access Tracker logs one user

Thanks

Sairam

Is a CoA needed for this?

As far as I remember, ClearPass will set the dot1x session timeout to match the remaining time until guest expiration. I remember seeing that under the SQL query for the guest user source.

The NAD would then force a reauth after expiration, without any CoA.

But for that to work, Catalyst must be set to use the AAA server provided session timeout, that I think is not the default setting.

Hi, i have the same problem with no coa after user account expiration. Using dot1x timeout is fine, but sometimes i need to change expiration of account while user is logged in (shorten time of expiration). How can i logout user from switch when shortened expiration time is reached?

When i choose expiration time to "now" then it works ok - clearpass send coa, and user is redirected back to captive portal. Also when i logout user from active session then reautenthication occurs.

PiotrC,

Create a new endpoint update enforcement and use 'Expire-Time -Update' attribute.

I have configured that profile:

But how to trigger that? Will it be tirggered automatically after changing of account expiration? Now i use this profile in mac auth enforcement policy:

Now i have tried to create guest account with expiration time set to 5 minutes after creating account. After user login the endpoint was updated with correct expiry time, but after expiration of account there is no action - user is still connected to network.

Does Radius CoA is enabled in CPPM and also CPPM server is added as RFC server in controller?

Yes. When i change guest expiration to "Now" then clearpass send CoA to switch and switch reauthenticate user. So CoA is working fine.