Security

Hi Guys,

i have problem with my CoA config. it supposed to be a simple setup but i cannot find where my config went wrong.

evertime i try to do CoA either manually from access tracker or automatically from my profile service, it always fail with erro from access tracker: "Radius [Aruba Terminate Session] failed for client" and when i do it manually "Failed to contact Access Control Service".

 

here are the configuration of controller and CPPM:

• both deployed in same subnet, so firewall should not be an issue.
• RFS3576 already setup on correct IP.
• already get radius client ip and interface on the same address in the controller.
• CoA enabled on server config in the clearpass.

cannot figure out where it went wrong..

 

Ricky

please i need help :(

really need to get this fixed asap.

What type of service is this?  

 

In Access Tracker, does the authentication request show the correct controller IP as the NAS-IP-Address? 

 

After a failed CoA, look at the detailed logs in Access Tracker to find more info on what went wrong.

 

 

A couple of things:
- if you are using a VIP on the ClearPass cluster make sure you add that in the list RFC server under the AAA profile
- make sure that the shared key in RFC server on the controller is correct
- on the controller check what's your NAS IP address by running this command :
show radius nas-ip , that IP address needs to be added to list of nad devices in ClearPass
- in clearPass make sure that when you the controller as a nad that you enable CoA
- if there's a firewall in between the controller and ClearPass you need to allow port 3799

i just remembered that the controller is a 2600 with ArubaOS 5. does anyone know if CoA is possible is OS 5?
the controller has RFS3576 though.

Hi xdrew, it's a profiler to force dhcp fingerprint to get the device categories parameter.
yes it does show the exact controller's IP. this is one of the first thing i checked because the cust use multiple controllers with lo interface.

Hi Victor,
- i am going to cluster these clearpass but for now i still run it without the cluster config.
- what part of clearpass config did the controller compare this key to? i use the same key for every radius/server shared key.
- what is nad device? is it the network devices? if it is, yes i already compared it and they already match. and also match the NAS IP in the access tracker.
- already did checked the CoA.
- the controller and clearpass deployed in the same subnet without access list in the switch.

Ricky.

 

i've checked the log. and there is no error, only warning and this is the one that has anything to do with CoA.

2015-02-11 19:29:50,273

[RequestHandler-1-0x7f87fe9f4700 r=R000002eb-01-54db4b3e h=9745 c=R000002eb-01-54db4b3e] WARN Core.PETaskRadiusCoAEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

anyone has any idea what it means?

 

Ricky

Network Access Device , in this case it will be the controller 

On AOS 6.4.2.1 has a fix for CoA bug

Verify the Following:

- Under the AAA Profile you are using under that SSID make sure you have define the IP addresses of each of your ClearPass servers, the shared key is the same use for Radius:

 

- Make sure that CoA is enabled 

 

- The NAS-IP address should match the IP address added under the Configuration > Network > Devices

i've checked and the configuration you mentioned has matched.

the "show ip radius source interface" and "show ip radius nas ip" in the controller has return the correct ip that i input in the network device parameter in the cppm.

 

is it safe to assume that my controller 2400 running ArubaOS 5, cannot do CoA because of that bug you mentioned?

Rick,

 

I checked with Prod Mgmt here and they confirmed AOS 5.0 DID actually support CoA. 

we found the problem for this case.

seems like controller 2400 running aos 5.0 doest use normal port for CoA.

the port for CoA in controller was opened at 1700 not 3799.

not sure if it by default or changed by the engineer before me.

 

Ricky