Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

RADIUS CoA problem

This thread has been viewed 14 times

  • 1.  RADIUS CoA problem

    Posted May 02, 2013 06:31 AM

    I configured ClearPass for wireless authentication. Authentication for wireless 802.1x via MS-PEAP and captive portal is working without problems. I am using AeroHive access-points for the wireless networks.

     

    ClearPass is configured with 2 NIC’s. One in the production environment and one in an internet-only segment. Clients connect to the AeroHive SSID and get a captive portal. I receive the RADIUS request in ClearPass and authentication works fine. I see the AeroHive IP address as NAS IP Address in the RADIUS request. The only thing that isn’t working is a CoA request. I would like to disconnect an active session. Within the guest portal I go to Guest – Active Session. I choose a guest user and click “Disconnect”. I receive the following error message (also attachment active-guest-error).

     

    Error disconnecting session for user testuser. Please check ClearPass Policy Manager -> Access Tracker for more details.

     

    When I check the Access Tracker, I don’t get any new logging information about the failure. I can also change the status from the Access Tracker by clicking Change Status. This doesn't work either, because I receive the following message (also attachment access-tracker-error).

     

    No advertised access control capabilities for this MAC Address

     

    I added every single AeroHive AP as Network Device and enabled RADIUS CoA (attachment aerohive). RADIUS authentication is working like a charm. Accounting is also working fine, because I can see the bandwidth consumption from the client.



  • 2.  RE: RADIUS CoA problem

    Posted May 02, 2013 06:40 AM

     

    Can you confirm in CCPM that you've set Aerohive as the Vendor in the device setup and checked the Enable Radius CoA? I see from your screenshot that it's set on the Aerohive AP.

     

    Also - can you verify that UDP traffic on port 3799 is open both ways between the CPPM and Aerohive AP?

     

     



  • 3.  RE: RADIUS CoA problem

    Posted May 02, 2013 06:56 AM
      |   view attached

    John,

     

    The configuration of the Network Device in CPPM is in the attachment. I checked that AeroHive is the vendor and Radius CoA is enabled.

     

    The CPPM (Management Port) and AeroHive AP's are part of the same VLAN, so there is no firewall in between. I am also in that subnet. I ran an nmap against both (CPPM and one AeroHive AP) and port UDP/3799 seems to be open.

     

    PORT STATE SERVICE
    3799/udp open|filtered unknown



  • 4.  RE: RADIUS CoA problem

    Posted May 02, 2013 09:26 AM

    Make sure you have enabled the  RFC 3576 Server on the Aerohive side of things, this would allow you to do CoA

     

    CoA - Aerohive.png 

     



  • 5.  RE: RADIUS CoA problem

    Posted May 02, 2013 09:34 AM

    Hi vfabian,

     

    That's the first thing I checked in AeroHive. It is the only option to enable and configure RADIUS CoA in AeroHive.



  • 6.  RE: RADIUS CoA problem

    Posted May 02, 2013 10:54 AM
      |   view attached

    I am a little bit further with the problem. I changed the vendor type on the Network Device from AeroHive to Aruba. Now I can disconnect WPA2 Enterprise from the Access Tracker and the CPPM Guest Active Sessions console.

     

    The only problem left is that I cannot disconnect Guest users (self-registration) from the CPPM Guest Active Sessions console. It looks like accounting isn't working. The MAC address isn't populated in the active session table, like shown in the attachment. I am also missing the Accounting tab in the Access Tracker properties of a user.



  • 7.  RE: RADIUS CoA problem

    Posted May 25, 2013 12:34 PM

    not sure but i have seen guest complain about policy manager not being configured for radius accounting, might be your issue?

     

    else open a TAC case and do please report back the result.



  • 8.  RE: RADIUS CoA problem
    Best Answer

    Posted May 26, 2013 03:45 PM

    TAC support told that Radius CoA for AeroHive isn't supported in the current ClearPass version. I created a feature request to support AeroHive.



  • 9.  RE: RADIUS CoA problem

    Posted Oct 22, 2013 11:05 AM

    i've the same issue with Chillispot.

     

    Take attention before upgrade from amigopod to clarpass as me because you will loose some features

    (for example external radius proxy)



  • 10.  RE: RADIUS CoA problem

    EMPLOYEE
    Posted Oct 22, 2013 11:15 AM
    @andrea.consadori wrote:

    i've the same issue with Chillispot.

     

    Take attention before upgrade from amigopod to clarpass as me because you will loose some features

    (for example external radius proxy)

    Andrea,

     

    ClearPass does have external Radius Proxy..  Which version did you NOT see it in?

    proxy.png



  • 11.  RE: RADIUS CoA problem

    Posted Oct 29, 2013 11:09 AM

    hi cjoseph, i see this menu but i open a ticket to support and during the call they told me that wasn't supported....

    it seems that clearpass support is not skilled as aruba support....



  • 12.  RE: RADIUS CoA problem

    EMPLOYEE
    Posted Oct 29, 2013 11:42 AM
    @andrea.consadori wrote:

    hi cjoseph, i see this menu but i open a ticket to support and during the call they told me that wasn't supported....

    it seems that clearpass support is not skilled as aruba support....

    Andrea.consadori,

     

    What are you referring to specifically?  Radius Proxy? 

     



  • 13.  RE: RADIUS CoA problem

    Posted Feb 19, 2014 09:32 AM

    sorry for my late reply:

     

    previously with amigopod i have an external radius as fallback of my db,

    so if user was not in the local db before show "user not found" in web auth i check in this radius server.