Security

 View Only

  • 1.  CPPM 6.12.5 not sending CoA-Disconnect messages even though Access Tracker shows the message was created

    Posted Sep 18, 2025 10:21 AM

    I have an enforcement profile that is supposed to send a RFC3576 Disconnect-Request:

    The Access Tracker shows that it processed the profile and generated the request:

    And the Access Tracker log shows no problems generating the message and shows this:

    2025-09-18 08:09:28,348    [RequestHandler-1-0x7ff6453e9700 h=345 c=W00000001-01-68cbf677] DEBUG Core.PETaskRadiusCoAEnfProfileBuilder - sendRadiusCoAResponse: Sending CoAEnfRequest={"content":{"cnc_actions":{"display_name":"Terminate Session - Custom","id":1,"name":"Meraki-Terminate-Session","params":{"name":"Calling-Station-Id","value":"B8-31-B5-87-2D-2D"},{"name":"Acct-Session-Id","value":"09CC655335FEE694"},{"name":"Event-Timestamp","value":"1758197368"},{"name":"NAS-IP-Address","value":"10.28.128.209"}],"type":"RADIUS"}],"mac_address":"b831b5872d2d"},"id":"R00000000-01-68cbf653","name":"cnc_request"}

    2025-09-18 08:09:28,348    [RequestHandler-1-0x7ff6453e9700 h=345 c=W00000001-01-68cbf677] DEBUG Core.PETaskRadiusCoAEnfProfileBuilder - sendRadiusCoAResponse: Done sending the CoAEnfRequest

    But a packet trace on ClearPass shows no evidence that the CoA-Disconnect message was sent.

    Has anyone else seen this issue and found a solution?

    I found similar issues in other forum posts, but no solution was mentioned.

    Is there a low-level log on CPPM that might indicate why it didn't send the packet after building it?

    Thanks in advance for any advice.



    -------------------------------------------


  • 2.  RE: CPPM 6.12.5 not sending CoA-Disconnect messages even though Access Tracker shows the message was created

    Posted Sep 18, 2025 10:36 AM
    Edited by jonas.hammarback Sep 18, 2025 10:36 AM

    If you, just for the test, change to one of the built in Dynamic authorization profiles, do you get the same behavior or is it just with this profile?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 3.  RE: CPPM 6.12.5 not sending CoA-Disconnect messages even though Access Tracker shows the message was created

    Posted Sep 18, 2025 01:44 PM

    What does the XML for that DynAuth profile look like?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 4.  RE: CPPM 6.12.5 not sending CoA-Disconnect messages even though Access Tracker shows the message was created
    Best Answer

    Posted Sep 19, 2025 08:58 AM

    Thanks for all the replies!

    As it turns out, for some as-yet unknown reason, removing the custom profile I created and using the [Cisco - Reauthenticate-Session] profile instead allows it to work.  I don't understand it, but I'll take the win and hope for clearer understanding in the future.

    -------------------------------------------

    Original Message


  • 5.  RE: CPPM 6.12.5 not sending CoA-Disconnect messages even though Access Tracker shows the message was created

    Posted Sep 19, 2025 10:15 AM

    The most likely reason is because of a mismatch in the vendor ID, which is why I'd asked you to share the XML.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


Related Content