Wired Intelligent Edge

Hi,
 
we have problems with terminate session from ClearPass to, for example, an hp5400r switch.

Status Message Radius ArubaOS Switching - Terminate Session failed for client d072dc7a439c. Unsupported Attribute.

if we perform a test with freeradius radclient then it will be fine,
the Message-Authenticator Attribute is not present with the freeradius radclient request.
What is going wrong and how can we get this to work with ClearPass(or switch config change)?
Can we prevent sending the Message-Authenticator Attribute with ClearPass?

ClearPass Policy Manager 6.8.3.110034 
switch 5412Rzl2 KB.16.09.0006

output tcpdump freeradius radclient:
16:20:28.183395 IP (tos 0x0, ttl 60, id 30542, offset 0, flags [none], proto UDP (17), length 99)
XXX.XXX.2.3.57541 > 172.16.11.160.3799: [udp sum ok] RADIUS, length: 71
Disconnect-Request (40), id: 0x15, Authenticator: d68a2a8e3f2526a6214e5cd948ce22d2
Event-Timestamp Attribute (55), length: 6, Value: Sun Nov 17 15:19:32 2019
0x0000: 5dd1 56f4
User-Name Attribute (1), length: 14, Value: 58ac78de9816
0x0000: 3538 6163 3738 6465 3938 3136
NAS-IP-Address Attribute (4), length: 6, Value: 172.16.11.160
0x0000: ac10 0ba0
NAS-Port Attribute (5), length: 6, Value: 2
0x0000: 0000 0002
Calling-Station-Id Attribute (31), length: 19, Value: 58-ac-78-de-98-16
0x0000: 3538 2d61 632d 3738 2d64 652d 3938 2d31
0x0010: 36
16:20:28.190033 IP (tos 0x0, ttl 64, id 23283, offset 0, flags [none], proto UDP (17), length 60)
172.16.11.160.3799 > XXX.XXX.2.3.57541: [udp sum ok] RADIUS, length: 32
Disconnect-ACK (41), id: 0x15, Authenticator: 97273170ba7003c575c3be70c11c8d70


output tcpdump ClearPass:
16:23:25.924302 IP (tos 0x0, ttl 60, id 44023, offset 0, flags [DF], proto UDP (17), length 117)
XXX.XXX.5.4.54020 > 172.16.11.160.3799: [udp sum ok] RADIUS, length: 89
Disconnect-Request (40), id: 0x80, Authenticator: 1e5f654eab2a8637ea9d7d7d62e26b9f
User-Name Attribute (1), length: 14, Value: 58ac78de9816
0x0000: 3538 6163 3738 6465 3938 3136
NAS-IP-Address Attribute (4), length: 6, Value: 172.16.11.160
0x0000: ac10 0ba0
NAS-Port Attribute (5), length: 6, Value: 2
0x0000: 0000 0002
Message-Authenticator Attribute (80), length: 18, Value: ...tp..._)...]..
0x0000: caa0 0a74 70e0 ad91 5f29 089c 8c5d 8d96
Event-Timestamp Attribute (55), length: 6, Value: Sun Nov 17 16:24:01 2019
0x0000: 5dd1 6611
Calling-Station-Id Attribute (31), length: 19, Value: 58-ac-78-de-98-16
0x0000: 3538 2d61 632d 3738 2d64 652d 3938 2d31
0x0010: 36
16:23:25.925721 IP (tos 0x0, ttl 64, id 23287, offset 0, flags [none], proto UDP (17), length 60)
172.16.11.160.3799 > XXX.XXX.5.4.54020: [udp sum ok] RADIUS, length: 32
Disconnect-NAK (42), id: 0x80, Authenticator: ab999f0474ddacb88450d4de4e76667d
Event-Timestamp Attribute (55), length: 6, Value: Sun Nov 17 16:24:00 2019
0x0000: 5dd1 6610
Unknown Attribute (101), length: 6, Value:
0x0000: 0000 0191

Did you install the Dynamic Authorization hotfix for ClearPass 6.8.3 which was released last week? There is a notice on support.arubanetworks.com and asp.arubanetworks.com:

Customers using CoA-Request or Disconnect-Request with ArubaOS-Switches must also apply the 6.8.3 Hotfix for RADIUS Dynamic Authorization issue with Aruba Switch. An issue has been identified due to the change documented in (CP‑32800) that impacts interoperability.

Many Thanx!

We installed the hotfix and now it works, Now there is no Message-Authenticator attribute in the ClearPass Disconnect request.