Security

 View Only
last person joined: 19 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onguard heath check service not completing COA

This thread has been viewed 13 times

  • 1.  Onguard heath check service not completing COA

    Posted Mar 11, 2020 06:22 PM

    We are testing onguard persistent agent for the first time with CPPM v6.8 and an Aruba 2930 wired switch only.  We have a test laptop (with the PA installed) connected to the switch.  The user authenticates the first time via the 802.1x service with a posture of UNKNOWN and successfully gets moved to a quarantine vlan.  Then, the agent runs the health check successfully and gets a healthy status (token) and the access tracker shows the profile with attribute [arubaOS switching - terminate session] is sent as part of the output along with the healthy token.  However, the COA does not happen and the switch shows the user stays in the quarantine vlan. Also, the 802.1x service is never hit a 2nd time meaning the re-auth never happens (according to access-tracker). 

    Note:  We have double-checked and verified:

    - UDP 3799 is allowed fully both directions

    - The CPPM NAD dyn-auth for this switch is enabled w port 3799

    - The switch has this config:

    radius-server host x.x.x.x key <key>

    radius-server host x.x.x.x dyn-authorization
    radius-server host x.x.x.x time-window 0
    radius-server tracking interval 60

    aaa server-group radius "CPPM" host x.x.x.x
    aaa port-access gvrp-vlans

    aaa authentication port-access eap-radius

    ...and all the needed port-access commands

     

    - On the CPPM NAD entry, we have also tried using both 'Aruba' and 'HPE' as the vendor and get the same result (does it matter for a 2930F)?

     

    Why is the radius COA not terminating the session / Why is the 802.1x re-auth not happening?

     



  • 2.  RE: Onguard heath check service not completing COA

    EMPLOYEE
    Posted Mar 12, 2020 05:27 AM

    I'd suggest to approach this step by step.

     

    Does a manual CoA work (Change Status) in Access Tracker?

     

    Do you see the RADIUS CoA tab on the original authentication?  Does it show a successful CoA?

     

    If it works fine manually, do you see the RADIUS CoA tab in the original authentication after the OnGuard WEBAUTH triggered the CoA?



  • 3.  RE: Onguard heath check service not completing COA

    Posted May 25, 2022 08:52 AM
    Hello Hermann,

    I have the same issue. My setup is a bit different though. My switch is an ArubaCX 6100. I can see from the access tracket, that a CoA Bounce Switchport is triggered. Thus it cannot be done, because some information seem to be missing. In the log I have the following output:
    "
    Request log details for session: W000018f3-01-628b9070
    Time Message
    2022-05-23 15:47:28,546 [RequestHandler-1-0x7f44be5f2700 r=psauto-1634809459-99469 h=223 r=W000018f3-01-628b9070] INFO Core.ServiceReqHandler - Service classification result = hum-OnGuard wired Service
    2022-05-23 15:47:28,553 [RequestHandler-1-0x7f44be5f2700 r=psauto-1634809459-99470 h=239 r=W000018f3-01-628b9070] INFO TAT.TagAttrTableUtil - buildTagAttrTableInput: Connection:NAD-IP-Address is not found
    2022-05-23 15:47:28,553 [RequestHandler-1-0x7f44be5f2700 r=psauto-1634809459-99470 h=239 r=W000018f3-01-628b9070] INFO Common.EndpointTable - Returning EndpointSPtr for macAddr 000ec66ac9d3
    2022-05-23 15:47:28,553 [RequestHandler-1-0x7f44be5f2700 r=psauto-1634809459-99470 h=239 r=W000018f3-01-628b9070] INFO Common.TagDefinitionCacheTable - No TagDefCacheMap could be found for instance id = 0 entity id = 29
    2022-05-23 15:47:28,553 [RequestHandler-1-0x7f44be5f2700 r=psauto-1634809459-99470 h=239 r=W000018f3-01-628b9070] WARN Common.TagDefinitionCacheTable - Failed to build TagDefinitionMap. Unknown NadClient for Id=0
    2022-05-23 15:47:28,553 [RequestHandler-1-0x7f44be5f2700 r=psauto-1634809459-99470 h=239 r=W000018f3-01-628b9070] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=0|entity=Device
    2022-05-23 15:47:28,553 [RequestHandler-1-0x7f44be5f2700 r=psauto-1634809459-99470 h=239 r=W000018f3-01-628b9070] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
    2022-05-23 15:47:28,553 [RequestHandler-1-0x7f44be5f2700 r=psauto-1634809459-99470 h=239 r=W000018f3-01-628b9070] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
    2022-05-23 15:47:28,553 [RequestHandler-1-0x7f44be5f2700 r=psauto-1634809459-99470 h=239 r=W000018f3-01-628b9070] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
    2022-05-23 15:47:28,553 [RequestHandler-1-0x7f44be5f2700 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_SOAP_WEBAUTH Started ***
    2022-05-23 15:47:28,553 [RequestHandler-1-0x7f44be5f2700 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskAuthSourceRestriction **
    2022-05-23 15:47:28,553 [RequestHandler-1-0x7f44be5f2700 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping **
    2022-05-23 15:47:28,554 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
    2022-05-23 15:47:28,554 [RequestHandler-1-0x7f44be5f2700 h=750410 c=W000018f3-01-628b9070] INFO Core.PETaskRoleMapping - Roles:
    2022-05-23 15:47:28,554 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskRoleMapping **
    2022-05-23 15:47:28,554 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskIntPosture **
    2022-05-23 15:47:28,554 [RequestHandler-1-0x7f44be5f2700 h=750412 c=W000018f3-01-628b9070] INFO verifiers.PostureVerifierUtil - checkVersionAtLeast: Version format is empty. Comparing versions without format.
    2022-05-23 15:47:28,554 [RequestHandler-1-0x7f44be5f2700 h=750412 c=W000018f3-01-628b9070] INFO verifiers.PatchAgent - processHealthClassInfo: : Windows Update Agent missingPatches is false.
    2022-05-23 15:47:28,554 [RequestHandler-1-0x7f44be5f2700 h=750412 c=W000018f3-01-628b9070] INFO verifiers.PatchAgent - processHealthClassInfo: : Windows Update Agent reported number of missing patches on client - 0
    2022-05-23 15:47:28,555 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskIntPosture **
    2022-05-23 15:47:28,555 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskPosture **
    2022-05-23 15:47:28,556 [RequestHandler-1-0x7f44be5f2700 h=750413 c=W000018f3-01-628b9070] INFO Core.PolicyResCollector - updateSpt: SPT set to: HEALTHY force=0
    2022-05-23 15:47:28,556 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskPosture **
    2022-05-23 15:47:28,556 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskPolicyResult **
    2022-05-23 15:47:28,557 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskPolicyResult **
    2022-05-23 15:47:28,557 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskEnforcement **
    2022-05-23 15:47:28,557 [RequestHandler-1-0x7f44be5f2700 h=750415 c=W000018f3-01-628b9070] INFO Core.PETaskEnforcement - EnfProfiles: AOS-CX - Bounce Switch Port]
    2022-05-23 15:47:28,557 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskEnforcement **
    2022-05-23 15:47:28,557 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskAppEnfProfileBuilder **
    2022-05-23 15:47:28,557 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskSnmpEnforcement **
    2022-05-23 15:47:28,557 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskRadiusCoAEnfProfileBuilder **
    2022-05-23 15:47:28,557 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskAgentEnfProfileBuilder **
    2022-05-23 15:47:28,557 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskPostAuthEnfProfileBuilder **
    2022-05-23 15:47:28,557 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskGenericEnfProfileBuilder **
    2022-05-23 15:47:28,557 [RequestHandler-1-0x7f44be5f2700 h=750421 c=W000018f3-01-628b9070] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
    2022-05-23 15:47:28,558 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskGenericEnfProfileBuilder **
    2022-05-23 15:47:28,558 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskAgentEnfProfileBuilder **
    2022-05-23 15:47:28,558 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskSnmpEnforcement **
    2022-05-23 15:47:28,558 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskAppEnfProfileBuilder **
    2022-05-23 15:47:28,558 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskCliEnforcement **
    2022-05-23 15:47:28,558 [RequestHandler-1-0x7f44be5f2700 h=750422 c=W000018f3-01-628b9070] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
    2022-05-23 15:47:28,558 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskCliEnforcement **
    2022-05-23 15:47:28,558 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750418 c=W000018f3-01-628b9070] INFO Core.PETaskRadiusCoAEnfProfileBuilder - Radius_CoA enfProfiles used: AOS-CX - Bounce Switch Port]
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750418 c=W000018f3-01-628b9070] INFO Core.PETaskRadiusCoAEnfProfileBuilder - UnknownAutzParams to fetch for RadiusCoAEnfProfiles: :
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750418 c=W000018f3-01-628b9070] INFO Core.PETaskRadiusCoAEnfProfileBuilder - UnknownNAutzParams to fetch for RadiusCoAEnfProfiles: : Radius:IETF:Calling-Station-Id, Radius:IETF:Event-Timestamp, Radius:IETF:NAS-Identifier, Radius:IETF:NAS-Port, Radius:IETF:User-Name
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750418 c=W000018f3-01-628b9070] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:Calling-Station-Id}, error=No values for param=Radius:IETF:Calling-Station-Id
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750418 c=W000018f3-01-628b9070] WARN Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:Calling-Station-Id value = %{Radius:IETF:Calling-Station-Id}. Searching attributes from battery
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750418 c=W000018f3-01-628b9070] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:NAS-Port}, error=No values for param=Radius:IETF:NAS-Port
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750418 c=W000018f3-01-628b9070] WARN Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:NAS-Port value = %{Radius:IETF:NAS-Port}. Searching attributes from battery
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750418 c=W000018f3-01-628b9070] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:NAS-Identifier}, error=No values for param=Radius:IETF:NAS-Identifier
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750418 c=W000018f3-01-628b9070] WARN Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:NAS-Identifier value = %{Radius:IETF:NAS-Identifier}. Searching attributes from battery
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750418 c=W000018f3-01-628b9070] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:User-Name}, error=No values for param=Radius:IETF:User-Name
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750418 c=W000018f3-01-628b9070] WARN Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:User-Name value = %{Radius:IETF:User-Name}. Searching attributes from battery
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750418 c=W000018f3-01-628b9070] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:Event-Timestamp}, error=No values for param=Radius:IETF:Event-Timestamp
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750418 c=W000018f3-01-628b9070] WARN Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:Event-Timestamp value = %{Radius:IETF:Event-Timestamp}. Searching attributes from battery
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750420 c=W000018f3-01-628b9070] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
    2022-05-23 15:47:28,559 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskRadiusCoAEnfProfileBuilder **
    2022-05-23 15:47:28,560 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskPostAuthEnfProfileBuilder **
    2022-05-23 15:47:28,560 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskAuthStatusInfo **
    2022-05-23 15:47:28,560 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **
    2022-05-23 15:47:28,560 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Starting PETaskSessionLog **
    2022-05-23 15:47:28,564 [RequestHandler-1-0x7f44be5f2700 h=750424 c=W000018f3-01-628b9070] WARN IAT.NapIOAttrHolder - getSohrForOutput: Skip unknown appId=65535
    2022-05-23 15:47:28,564 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskSessionLog **
    2022-05-23 15:47:28,564 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **
    2022-05-23 15:47:28,564 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - ** Completed PETaskAuthStatusInfo **
    2022-05-23 15:47:28,564 [RequestHandler-1-0x7f44be5f2700 r=W000018f3-01-628b9070 h=750408 c=W000018f3-01-628b9070] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_SOAP_WEBAUTH Completed ***
    2022-05-23 15:47:33,561 [HttpModule-ThreadPool-31-0x7f44eabf5700 r=W000018f3-01-628b9070 h=157] ERROR Http.HttpSession - execute: post::<easy_perform>, (error=28) Timeout was reached
    2022-05-23 15:47:33,561 [HttpModule-ThreadPool-31-0x7f44eabf5700 r=W000018f3-01-628b9070 h=157] ERROR BaseExtSvr.ExtSvrSession - Unable to get next handle from manager with name=CnCService
    "
    The Clearpass does not seem to know on which the client is connected.
    The Radius connection is working fine for 802.1X and I enabled dynamic authorization.
    Do you have an idea what I did wrong? In general: Where does the OnGuard authentication get the NAS information from? As far as i undestand the process, the WEBAUTH is done by the OnGuard application. But the clearpass needs to know which port on which switch it needs to bounce to trigger a reauthentication. Where does the application and/or the clearpass get that informaiton?

    Regards

    Bernd

    ------------------------------
    Bernd Borowski
    ------------------------------

    Original Message