Security

We've just migrated our dev WiFi from 6.5 to 8.5

The attached image shows current setup. All airgroup configs done at the "dev(2)" level.

 

Looking at clearpass Access-Tracker, I can see the normal wifi device auths and the Airgroup Authorization Service  request/sesponse entries. These come from the mobility master arubammdev0

 

In 6.5 I could do a RADIUS CoA and force a terminate session. With our current setup in 8.5 I'm not given the option of performing a CoA. The mobility master is configured as a device correctly in clearpass  with CoA on 3999

so, given that clearpass has port 3999 configured for CoA and I'm logging onto arubammdev0 using my credentials via the clearpass server, how does clearpass decide whether it can use CoA on 3999 back to a device?

 

Conf/System/Profiles/RFC 3576 server/ seems to have both my clearpass servers in there ... assuming with correct shared key ... I didn't set it up 

 

 

 

 

 

 

Sigh!

logged into CLI on the box , had a look and no, the RFC3756 servers didn;t have a key asigned :-(

 

A

Follpwing on from the above ...

Attached image shows the output of Airgroup Diagnostics for a sample mac address. It says that airgroup CoA requests will be sent  to the mm controller 144.32.76.54

 

Fine but where do I enable acceptance of RADIUS  CoA traffic  on port 5999 ? Can create a clearpass Airgroup profile on the mobility master. Can only do it on the managed network tree  but clearpass isn't sending CoAs to 5999 on that its sending it to themmaster :5999

I suppose that the NAS IP is set to the MM IP. There are two options for this.


* Configure a VRRP IP within the cluster. A unique IP per cluster node (recommended)
* Set the RADIUS NAS IP at the MDC. For example > ip radius nas-ip nas-vlan x

Yup

See clearpass input  in attached file

A

Both of these are required in a cluster.

Yup

See clearpass input  in attached file

A