Security

Reply
Highlighted
MVP Expert

RADIUS CoA to mobility master

We've just migrated our dev WiFi from 6.5 to 8.5

The attached image shows current setup. All airgroup configs done at the "dev(2)" level.

 

Looking at clearpass Access-Tracker, I can see the normal wifi device auths and the Airgroup Authorization Service  request/sesponse entries. These come from the mobility master arubammdev0

 

In 6.5 I could do a RADIUS CoA and force a terminate session. With our current setup in 8.5 I'm not given the option of performing a CoA. The mobility master is configured as a device correctly in clearpass  with CoA on 3999

so, given that clearpass has port 3999 configured for CoA and I'm logging onto arubammdev0 using my credentials via the clearpass server, how does clearpass decide whether it can use CoA on 3999 back to a device?

 

Conf/System/Profiles/RFC 3576 server/ seems to have both my clearpass servers in there ... assuming with correct shared key ... I didn't set it up 

 

 

 

 

 

 

MVP Expert

Re: RADIUS CoA to mobility master

Sigh!

logged into CLI on the box , had a look and no, the RFC3756 servers didn;t have a key asigned :-(

 

A

Super Contributor II

Re: RADIUS CoA to mobility master

I suppose that the NAS IP is set to the MM IP. There are two options for this.


* Configure a VRRP IP within the cluster. A unique IP per cluster node (recommended)
* Set the RADIUS NAS IP at the MDC. For example > ip radius nas-ip nas-vlan x

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
MVP Expert

Re: RADIUS CoA to mobility master

Yup

See clearpass input  in attached file

A

MVP Expert

Re: RADIUS CoA to mobility master

Yup

See clearpass input  in attached file

A

Guru Elite

Re: RADIUS CoA to mobility master

Both of these are required in a cluster.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: RADIUS CoA to mobility master

Follpwing on from the above ...

Attached image shows the output of Airgroup Diagnostics for a sample mac address. It says that airgroup CoA requests will be sent  to the mm controller 144.32.76.54

 

Fine but where do I enable acceptance of RADIUS  CoA traffic  on port 5999 ? Can create a clearpass Airgroup profile on the mobility master. Can only do it on the managed network tree  but clearpass isn't sending CoAs to 5999 on that its sending it to themmaster :5999

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: