Wired Intelligent Edge

 View Only
last person joined: 2 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Aruba CX CoA Invalid client address

This thread has been viewed 29 times

  • 1.  Aruba CX CoA Invalid client address

    Posted Jun 02, 2022 10:57 PM
    Hello,

    I am trying to use an Aruba CX switch (v 10.09) with ClearPass to test CoA. The switch is correctly added to ClearPass and radius authentications are working fine. for CoA, I have ClearPass defined as a dyn-authorization client with the correct key and replay-protection disabled (because the time on the switch is incorrect). 
    For some reason, CoA is not working. I am trying to manually trigger it from the access tracker and using the AOS-CX Bounce port or AOS-CX Disconnect actions. In both cases, ClearPass will show that the CoA failed for client xxxxxxxxxxxx and on the switch side, I see a high number of "Invalid Client Address in CoA Requests" and "Invalid Client Address in Disconnect Requests"

    Does anyone know what "Invalid Client Address in Disconnect Requests" means and what could be the root cause?
    Also, what is the best way to debug those messages on the switch?

    Thanks for helping out

    ------------------------------
    Othmane Douiri
    ------------------------------


  • 2.  RE: Aruba CX CoA Invalid client address

    EMPLOYEE
    Posted Jun 04, 2022 08:49 PM

    are you using mgmt VRF for dyn-authorization  on the CX switch?
    what is the IP address of the CX switch that is configured as NAD on ClearPass ? and what is  the IP address of "Access Device" that shows in access tracker



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: Aruba CX CoA Invalid client address

    Posted Jun 28, 2022 11:36 AM
    Verify if the configuration in switch is correct. To enable radius dyn authorization in switch for the clearpass server -

    radius dyn-authorization enable
    radius dyn-authorization client <IP/DNS> vrf <vrf> secret-key plaintext <key>

    ------------------------------
    Shobana Nandakumar
    Technical Marketing Engineer
    Aruba Campus Switching
    ------------------------------

    Original Message


  • 4.  RE: Aruba CX CoA Invalid client address

    Posted Sep 21, 2023 10:26 AM

    Dear Othmane,

    I am not sure if this was fixed. I found similar issue in a SDBRANCH setup. 

    Gateway does a NAT for only the COA request and as the SRC-IP is different the switch thinks the request is from an invalid IP.

    "Invalid client in disconnect request is noticed when the switch receives a COA request from a IP which is not added as a radius dyn-authorization client"

    radius dyn-authorization client <IP/DNS> vrf <vrf> secret-key plaintext <key>

    As a work-around I created an additional configuration with Gateway IP as a radius dyn-authorization client on the switch. 

    In my setup the users are local to the switch and not terminating to the gateway but it still does NAT.

    For troubleshooting I used the below methods:

    1. Collected logs/captures from the CPPM and triggered a change status for the user
    2. Enabled Mirror session for the switch uplink to capture the packets received by the switch
    3. On the Gateway I monitored the session table and could see the SRC-NAT flag in the session table.

    Hope it helps.



    ------------------------------
    Regards,
    Sajin
    ------------------------------

    Original Message