Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

COA and AOS8 cluster

This thread has been viewed 20 times

  • 1.  COA and AOS8 cluster

    Posted Mar 27, 2019 07:54 AM

    Doing some pre-production testing of AOS8 and thought I'd have a play with the cluster COA VIP functionality. I've already tested failover between controllers so I know how well that works.

     

    To test COA after a failover my thinking was to reboot the UAC, then try issuing a COA from clearpass. However it looks like the controller terminated the authentication session as it went down. So although I flipped across to the other controller and remained connected, Clearpass thinks the session has ended, so I can't issue a COA. 

    After a short time Clearpass receives some accounting data from the second controller.  The accounting tab then shows the user session as active again, but the summary tab shows the user is offline. Eventually the online status becomes "not available". By this stage the original UAC is back online. I can then issue a COA, which gets no response from the network device - which makes sense because that VIP is back with the controller that no longer has that user.

     

    This would appear not to be the expected behaviour, given all the thought that's gone into setting up the COA VIP, so the question is: have I got something configured incorrectly?



  • 2.  RE: COA and AOS8 cluster

    EMPLOYEE
    Posted Mar 27, 2019 08:14 AM
    The NAS-IP needs to be configured to be the VIP in order for Dynamic Authorization to work in a cluster.


  • 3.  RE: COA and AOS8 cluster

    Posted Mar 27, 2019 10:37 AM

    Is that the setting within each radius server entry?



  • 4.  RE: COA and AOS8 cluster

    Posted Mar 27, 2019 10:50 AM
      |   view attached

    You need to configure a VRRP IP for each node in the Cluster Profile2019-03-27 10_39_13-192.168.1.142 - Tera Term VT.pngNeed to add the controller mgmt IPs and VRRPs in ClearPass2019-03-27 10_43_24-ClearPass Policy Manager - Aruba Networks.png

     

    2019-03-27 10_44_26-Configuration.png



  • 5.  RE: COA and AOS8 cluster

    EMPLOYEE
    Posted Mar 27, 2019 10:51 AM
    Yes, or it can overridden on the advanced tab for the whole controller.


  • 6.  RE: COA and AOS8 cluster

    Posted Mar 27, 2019 11:08 AM

    Ok, now I'm confused... Should the radius client address be the VIP or the 'real' address?



  • 7.  RE: COA and AOS8 cluster

    EMPLOYEE
    Posted Mar 27, 2019 11:26 AM
    The NAS-IP should be the VIP.


  • 8.  RE: COA and AOS8 cluster

    Posted Mar 28, 2019 10:04 AM

    cppm_terminate.png

    Turns out I'd also missed something else quite important too (hadn't assigned the rfc 3576 servers to the AAA profile). However it still doesn't work. I see the same behaviour in clearpass. As soon as I reboot the UAC it sends a RADIUS termination to to Clearpass, so COA is then no longer available.

     

    I've tested two scenarios. Rudely disconnecting the UAC and rebooting it. Rebooting is as above.

    If I just disconnect it (down the switch ports) everything works perfectly. My user session fails across to the other controller, and that controller takes the COA VIP, and a COA from Clearpass works. Hopefully the most likely scenario for a controller going down is a planned reboot for upgrade etc. In this scenario things don't currently work for me.



  • 9.  RE: COA and AOS8 cluster

    Posted May 21, 2019 08:53 AM

    Just want to confirm that in the above controllers advanced RADIUS section that the IP used in the example are the managment IP and not the VRRP.    The exaple shows 192.168.1.141 for the RADIUS Client.

     

    Thanks

     

    Chris



  • 10.  RE: COA and AOS8 cluster

    Posted May 21, 2019 11:54 AM
    Please use the cluster VRRP IP address



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile