Security

Reply
Occasional Contributor II

Clearpass didn't triggered CoA after GuestUser expiry

need help!!

 

Setup : Clearpass + Cisco 2960 switch. Captive portal based authentication for LAN users connected to cisco switch.

 

Problem : After guest user got expired, clearpass is not triggering CoA action (when checked in access tracker tab, there is no CoA). But, when manually triggering CoA(Cisco Terminate session), CoA is working and client getting disconnected.

 

More details : Using Wired Enforcement Policy document, I created service with 'Allow all mac auth' + 'web auth' for guest based solution for LAN users. user allowed initially with mac auth and given redirect url followed by web auth service to validate guest credentials and update Endpoint with username and role. Detailed screenshots attached.

 

checklist :

  • Insight, accounting interm packets -> enabled
  • radius CoA enabled in device page
  • Expire post login, do expire policies added
  • Authorization in service -> all databases added
  • Guest>configuration>authentication settings>Selected NAS type as "Cisco systems(RFC 3576)"

 

Please suggest any Tips:)

 

Access Tracker logs one user

ac1.JPGac 2.JPGac3.JPGac4.JPGac5.JPGac6.JPGac7.JPGac8.JPG

 

Thanks

Sairam

 

 

 

 

Guru Elite

Re: Clearpass didn't triggered CoA after GuestUser expiry

Do you have Insight enabled in the cluster?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Clearpass didn't triggered CoA after GuestUser expiry

Yes @cappalli. any other tips to try?
Guru Elite

Re: Clearpass didn't triggered CoA after GuestUser expiry

Best to work with Aruba TAC.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Clearpass didn't triggered CoA after GuestUser expiry

Is a CoA needed for this?

As far as I remember, ClearPass will set the dot1x session timeout to match the remaining time until guest expiration. I remember seeing that under the SQL query for the guest user source.

The NAD would then force a reauth after expiration, without any CoA.

But for that to work, Catalyst must be set to use the AAA server provided session timeout, that I think is not the default setting.

Occasional Contributor I

Re: Clearpass didn't triggered CoA after GuestUser expiry

Hi, i have the same problem with no coa after user account expiration. Using dot1x timeout is fine, but sometimes i need to change expiration of account while user is logged in (shorten time of expiration). How can i logout user from switch when shortened expiration time is reached?

 

When i choose expiration time to "now" then it works ok - clearpass send coa, and user is redirected back to captive portal. Also when i logout user from active session then reautenthication occurs.

Occasional Contributor II

Re: Clearpass didn't triggered CoA after GuestUser expiry

PiotrC,

 

Create a new endpoint update enforcement and use 'Expire-Time -Update' attribute.

 

Capture.JPG

Occasional Contributor I

Re: Clearpass didn't triggered CoA after GuestUser expiry

I have configured that profile:

enforcement-profile_expire-update.png

 

But how to trigger that? Will it be tirggered automatically after changing of account expiration? Now i use this profile in mac auth enforcement policy:enforcement_policy.png

Now i have tried to create guest account with expiration time set to 5 minutes after creating account. After user login the endpoint was updated with correct expiry time, but after expiration of account there is no action - user is still connected to network.

Re: Clearpass didn't triggered CoA after GuestUser expiry

Does Radius CoA is enabled in CPPM and also CPPM server is added as RFC server in controller?

communitry.PNG

Regards,
Pavan
If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Clearpass didn't triggered CoA after GuestUser expiry

Yes. When i change guest expiration to "Now" then clearpass send CoA to switch and switch reauthenticate user. So CoA is working fine.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: