Security

Hi Airheads,

I'm creating a Hotspot page with the self register service in ClearPass 6.3. I added the login page to the Captive portal profile in the controller. The redirecting process works fine and the login page appears when i associate with the Open SSID. I select to create a new account user, then i select the Hotspot plan, then i register in the form and finally it shows the user receipt. When i click the "start browsing button" i'm redirected to the login page instead gain access to the network. I can use the credentials generated by the hotspot to gain access but it don't lost the access (terminating the session) when the access time comes to end.

Thanks in advance.

Alberto,

Did you look at my reply to your other post?

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Problems-with-ClearPass-Hotspot/td-p/166738

Thanks but it is another issue. I try to terminate session when i access the network with the credentials generated with the Hotspot and it works but does not disconnect me after the purchased access time. 

Couple of things

1. Make sure COA is working correctly. This is usually the issue.....

(A quick way to test is to open a device in access tracker and click Change Status)

2. Are there anything showing in the event viewer in either CPPM or CPGuest?

3. Make sure insight is enabled.

4. What does your services look like?

4. 

Hi Troy,

I check every bullet that you comment me:

1. I understand that my CoA doesn't work correctly because shows an alert when i try to change the status in the Access Tracker: "Administratively-Prohibited", and in the active sessions it shows an alert similar "Error disconnecting session for user".

2.  In event viewer i can see only updates:

3. Yes, Insight is enabled.

4. This is the services that i'm testing:

The 4th service is for the Hotspot self register captive portal and this is the summary:

I need to configure something aditional to solve the CoA issues? or how can i configure de CoA correctly? 

Thanks in advance.

is CoA configured / allowed on the device where you try to stop the session? it has to be configured on both sides.

I'm using an Aruba controller with 6.3.1.7 AOS but i don't know how to configurate the CoA for the RADIUS. Can you explain me how can i do it please?

a little google goes a long way :)

you configure CoA on the controller side via: security > authentication > servers > RFC 3576, add the IP of clearpass and the shared secret you also configured for radius.

Thanks, but i've already added the ClearPass here and does not work the CoA generated in ClearPass:

are you sure the shared secrets match?

is communication between clearpass and controller fully allowed? no firewall possibly blocking CoA traffic?

under devices in clearpass, for your controller did you enable CoA?

Yes, the shared secret match. I checked a couple of times and i check again with encrypt disable through the CLI. There's no firewall between controller and ClearPass. And yes, the device has the CoA checkbox enabled. Thanks.

You need to make sure COA is enabled in 3 sections.

1. CPPM

2.  Controller "advance services>all profile Management>Wireless Lan>RFC3576

3. Controller: Security > Authentication > Profiles your profile that is assigned to the user.