Security

Hi,

I want to use Radius CoA between a controler and Clearpass for disconnect user session with a "Terminate Aruba Session" but it doesn't work.

I have this messge in "acccess tracker"

In the controler,

in the RFC Statistics,  all the time the "Disconnect Rej" increment  !!!

in the log of aaa about RFC, i have the message  : 

Dec 30 10:36:28 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:1188] Invalid parameters, setting nas_port_type to wireless
Dec 30 10:36:29 :121031: <DBUG> |authmgr| |aaa| [rc_sequence.c:115] seq_num_timeout_handler: Freed 0 entries

Do you have an idea ?

My configuration : 

CPPM: RADIUS CoA is enabled and using port 3799.

Controller: RFC3746 server defined in AAA profile. Key matches key specific in device details above.

Regards

Yann

Yann Dorval,

Please make sure that the nas-ip-address parameter configured on the controller for clearpass matches the ip address defined in ClearPass

Hi Cjoseph,

Thanks for your answer : 

i have check it

On my controler : 

On my CPPM

regards

Yann Dorval,

Not in the RFC 3576 definition.  Check in the Radius Server definition on the controller.

Cjoseph,

I think it's good

Regards

Yann

It's strange because in my Access Tracker -> Accounting -> Networ Detail, i have the good NAS-Port-Type

regards

Yann

in debug aaa you can see, 2 msg about the NAS port Type

i don't see the COA server connected to your AAA profile, is it there?

your not doing anything special with your network, i.e. NATing, firewall in between, ...?

hi boneyard,

thanks for your reply, for me it's already connected to my aaa profile, see below ( RFC 3576 server 10.1.8.7).

The CPPM and Clearpass are in the same VLAN, network, IP range,  there are nothing between each.

Regards

Yann 

and you can't do an CoA on any session? you have check with a recent session you just logged in with?

only thing i would try then is to reset all shared secrets, so on controller (RFC... and radius server) and on clearpass with an easy one. just to rule out any copy paste / fat finger errors.

after that i would contact TAC (and go through all of the above again first :) ).

thanks for your reply

I just changed all the passwords, test with another enforcement policy and profile, with another controler, with another service etc ...., i think i have tested all that i could :)

Yesterday i have opened a case, i'm in waiting to reply from them.

Thanks for your help, Happy Holidays

Regards

Yann

For your information, my AP is in RAP Mode and the VAP is in Bridge mode

I just configure my VAP in tunnel mode and  the CoA works good now !  

My question : is there  a prerequisite of works for CoA in bridge mode ?

regards

Yann

thanks for reporting back about your finding. sounds like a possible reason for it not working. tried to find a source saying this is indeed the issue, but can't find one. hopefully your ticket with TAC will give  a definite answer. be sure to relay that.

I confirm, with one CAP on the VAP in tunnel mode,it's works well, but when i configure the VAP in bridge mode, i have the message "Session-Context-Not-Found"

what is TAC saying about this, is there no way to pull this off with a bridged SSID?

Hi Boneyard,

yes, they answered me ... "CoA will not be supported in the bridge mode", it's a big problem for my project ...

Thanks you for your help

Yann Dorval,

What version of ArubaOS are you using?

Are you sending radius accounting information to clearpass?

Hi Cjoseph,

The Version 6.4.2.2 is install on controller.

Yes, i send the radius accounting information from the controller to clearpass.

Regards

Yann