Security

Reply
Highlighted
Frequent Contributor I

Clearpass didn't triggered CoA after GuestUser expiry

need help!!

 

Setup : Clearpass + Cisco 2960 switch. Captive portal based authentication for LAN users connected to cisco switch.

 

Problem : After guest user got expired, clearpass is not triggering CoA action (when checked in access tracker tab, there is no CoA). But, when manually triggering CoA(Cisco Terminate session), CoA is working and client getting disconnected.

 

More details : Using Wired Enforcement Policy document, I created service with 'Allow all mac auth' + 'web auth' for guest based solution for LAN users. user allowed initially with mac auth and given redirect url followed by web auth service to validate guest credentials and update Endpoint with username and role. Detailed screenshots attached.

 

checklist :

  • Insight, accounting interm packets -> enabled
  • radius CoA enabled in device page
  • Expire post login, do expire policies added
  • Authorization in service -> all databases added
  • Guest>configuration>authentication settings>Selected NAS type as "Cisco systems(RFC 3576)"

 

Please suggest any Tips:)

 

Access Tracker logs one user

ac1.JPGac 2.JPGac3.JPGac4.JPGac5.JPGac6.JPGac7.JPGac8.JPG

 

Thanks

Sairam

 

 

 

 


Accepted Solutions
Highlighted
Regular Contributor II

Re: Clearpass didn't triggered CoA after GuestUser expiry

Is a CoA needed for this?

As far as I remember, ClearPass will set the dot1x session timeout to match the remaining time until guest expiration. I remember seeing that under the SQL query for the guest user source.

The NAD would then force a reauth after expiration, without any CoA.

But for that to work, Catalyst must be set to use the AAA server provided session timeout, that I think is not the default setting.

View solution in original post


All Replies
Highlighted
Moderator

Re: Clearpass didn't triggered CoA after GuestUser expiry

Do you have Insight enabled in the cluster?


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Frequent Contributor I

Re: Clearpass didn't triggered CoA after GuestUser expiry

Yes @cappalli. any other tips to try?
Highlighted
Moderator

Re: Clearpass didn't triggered CoA after GuestUser expiry

Best to work with Aruba TAC.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Regular Contributor II

Re: Clearpass didn't triggered CoA after GuestUser expiry

Is a CoA needed for this?

As far as I remember, ClearPass will set the dot1x session timeout to match the remaining time until guest expiration. I remember seeing that under the SQL query for the guest user source.

The NAD would then force a reauth after expiration, without any CoA.

But for that to work, Catalyst must be set to use the AAA server provided session timeout, that I think is not the default setting.

View solution in original post

Highlighted
Occasional Contributor I

Re: Clearpass didn't triggered CoA after GuestUser expiry

Hi, i have the same problem with no coa after user account expiration. Using dot1x timeout is fine, but sometimes i need to change expiration of account while user is logged in (shorten time of expiration). How can i logout user from switch when shortened expiration time is reached?

 

When i choose expiration time to "now" then it works ok - clearpass send coa, and user is redirected back to captive portal. Also when i logout user from active session then reautenthication occurs.

Highlighted
Frequent Contributor I

Re: Clearpass didn't triggered CoA after GuestUser expiry

PiotrC,

 

Create a new endpoint update enforcement and use 'Expire-Time -Update' attribute.

 

Capture.JPG

Highlighted
Occasional Contributor I

Re: Clearpass didn't triggered CoA after GuestUser expiry

I have configured that profile:

enforcement-profile_expire-update.png

 

But how to trigger that? Will it be tirggered automatically after changing of account expiration? Now i use this profile in mac auth enforcement policy:enforcement_policy.png

Now i have tried to create guest account with expiration time set to 5 minutes after creating account. After user login the endpoint was updated with correct expiry time, but after expiration of account there is no action - user is still connected to network.

Highlighted
MVP Expert

Re: Clearpass didn't triggered CoA after GuestUser expiry

Does Radius CoA is enabled in CPPM and also CPPM server is added as RFC server in controller?

communitry.PNG


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Occasional Contributor I

Re: Clearpass didn't triggered CoA after GuestUser expiry

Yes. When i change guest expiration to "Now" then clearpass send CoA to switch and switch reauthenticate user. So CoA is working fine.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: