Security

Having some issues sending CoA disconnects to Cambium APs managed by a cnMaestro cloud controller, from ClearPass. 

Cambium is not natively configured within ClearPass, so I have been using IETF as a vendor when the devices are added. This is returned under the access tracker 'change status' option when attempting to submit the CoA manually. 

I have since added Cambium to the RADIUS dictionary using the following XML and added it under vendor for the Cambium AP mgmt subnet under devices in ClearPass (I had to add some Cambium VSA's to the code, otherwise it would not add correctly, even though I will not be using the Cambium VSAs when it comes to the CoA). 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Wed Apr 23 15:05:32 BST 2025" version="6.11"/>
  <Dictionaries>
    <Vendor vendorEnabled="true" prefix="Cambium" name="Radius:Cambium" id="17713">
      <RadiusAttributes>
        <Attribute profile="in out" type="String" name="Cambium-VLAN-PoolID" id="157"/>
      </RadiusAttributes>
    </Vendor>
  </Dictionaries>
</TipsContents>

However, the Cambium documentation states the following attributes need to be sent when applying a CoA, which I have created and applied as an enforcement - but these are all RADIUS:IETF attributes. What's the correlation between the vendor set in devices and the RADIUS attributes which are actually being used in the enforcement? If the attributes used within the enforcement are applicable to the device, I should be able to apply them manually in access tracker? 

When you set the Vendor under Network Device the relevant CoA options for that device are filtered based on that Vendor.  For instance, set the device to Aruba and you'll see the Aruba CoA profiles as options when attempting a manual CoA operation.

The CoA profile doesn't have to have anything vendor specific in the definition other than the Vendor ID, all of the attributes can be from IETF.

Having some issues sending CoA disconnects to Cambium APs managed by a cnMaestro cloud controller, from ClearPass. 

Cambium is not natively configured within ClearPass, so I have been using IETF as a vendor when the devices are added. This is returned under the access tracker 'change status' option when attempting to submit the CoA manually. 

I have since added Cambium to the RADIUS dictionary using the following XML and added it under vendor for the Cambium AP mgmt subnet under devices in ClearPass (I had to add some Cambium VSA's to the code, otherwise it would not add correctly, even though I will not be using the Cambium VSAs when it comes to the CoA). 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Wed Apr 23 15:05:32 BST 2025" version="6.11"/>
  <Dictionaries>
    <Vendor vendorEnabled="true" prefix="Cambium" name="Radius:Cambium" id="17713">
      <RadiusAttributes>
        <Attribute profile="in out" type="String" name="Cambium-VLAN-PoolID" id="157"/>
      </RadiusAttributes>
    </Vendor>
  </Dictionaries>
</TipsContents>

However, the Cambium documentation states the following attributes need to be sent when applying a CoA, which I have created and applied as an enforcement - but these are all RADIUS:IETF attributes. What's the correlation between the vendor set in devices and the RADIUS attributes which are actually being used in the enforcement? If the attributes used within the enforcement are applicable to the device, I should be able to apply them manually in access tracker? 

Thanks @chulcher.

Even after adding Cambium as a custom entry into the ClearPass RADIUS dictionary, using the .XML above, and applying it to the device IP address as the vendor in Config > Network > Devices, I'm still getting the error on the access tracker when attempting to use a dynamic auth'z manually. The enforcement profiles stated in the Cambium documentation are in use, which use standard RADIUS:IETF attributes. 

So either the correct enforcement is being applied and Cambium should be able to acknowledge the attributes used in the enforcement, or ClearPass cannot send the CoA/ disconnect as it still doesn't recognise 'Cambium' as a vendor in order to send the CoA/ disconnect in the first place. 

Any ideas? 

When you set the Vendor under Network Device the relevant CoA options for that device are filtered based on that Vendor.  For instance, set the device to Aruba and you'll see the Aruba CoA profiles as options when attempting a manual CoA operation.

The CoA profile doesn't have to have anything vendor specific in the definition other than the Vendor ID, all of the attributes can be from IETF.

Having some issues sending CoA disconnects to Cambium APs managed by a cnMaestro cloud controller, from ClearPass. 

Cambium is not natively configured within ClearPass, so I have been using IETF as a vendor when the devices are added. This is returned under the access tracker 'change status' option when attempting to submit the CoA manually. 

I have since added Cambium to the RADIUS dictionary using the following XML and added it under vendor for the Cambium AP mgmt subnet under devices in ClearPass (I had to add some Cambium VSA's to the code, otherwise it would not add correctly, even though I will not be using the Cambium VSAs when it comes to the CoA). 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Wed Apr 23 15:05:32 BST 2025" version="6.11"/>
  <Dictionaries>
    <Vendor vendorEnabled="true" prefix="Cambium" name="Radius:Cambium" id="17713">
      <RadiusAttributes>
        <Attribute profile="in out" type="String" name="Cambium-VLAN-PoolID" id="157"/>
      </RadiusAttributes>
    </Vendor>
  </Dictionaries>
</TipsContents>

However, the Cambium documentation states the following attributes need to be sent when applying a CoA, which I have created and applied as an enforcement - but these are all RADIUS:IETF attributes. What's the correlation between the vendor set in devices and the RADIUS attributes which are actually being used in the enforcement? If the attributes used within the enforcement are applicable to the device, I should be able to apply them manually in access tracker? 

Set the device vendor to IETF and use the standard IETF disconnect if that works, but the only way to get a DynAuth action to show in the Access Tracker is to get the Vendor assigned to the network device and the DynAuth profile to match.

Thanks @chulcher.

Even after adding Cambium as a custom entry into the ClearPass RADIUS dictionary, using the .XML above, and applying it to the device IP address as the vendor in Config > Network > Devices, I'm still getting the error on the access tracker when attempting to use a dynamic auth'z manually. The enforcement profiles stated in the Cambium documentation are in use, which use standard RADIUS:IETF attributes. 

So either the correct enforcement is being applied and Cambium should be able to acknowledge the attributes used in the enforcement, or ClearPass cannot send the CoA/ disconnect as it still doesn't recognise 'Cambium' as a vendor in order to send the CoA/ disconnect in the first place. 

Any ideas? 

When you set the Vendor under Network Device the relevant CoA options for that device are filtered based on that Vendor.  For instance, set the device to Aruba and you'll see the Aruba CoA profiles as options when attempting a manual CoA operation.

The CoA profile doesn't have to have anything vendor specific in the definition other than the Vendor ID, all of the attributes can be from IETF.

Having some issues sending CoA disconnects to Cambium APs managed by a cnMaestro cloud controller, from ClearPass. 

Cambium is not natively configured within ClearPass, so I have been using IETF as a vendor when the devices are added. This is returned under the access tracker 'change status' option when attempting to submit the CoA manually. 

I have since added Cambium to the RADIUS dictionary using the following XML and added it under vendor for the Cambium AP mgmt subnet under devices in ClearPass (I had to add some Cambium VSA's to the code, otherwise it would not add correctly, even though I will not be using the Cambium VSAs when it comes to the CoA). 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Wed Apr 23 15:05:32 BST 2025" version="6.11"/>
  <Dictionaries>
    <Vendor vendorEnabled="true" prefix="Cambium" name="Radius:Cambium" id="17713">
      <RadiusAttributes>
        <Attribute profile="in out" type="String" name="Cambium-VLAN-PoolID" id="157"/>
      </RadiusAttributes>
    </Vendor>
  </Dictionaries>
</TipsContents>

However, the Cambium documentation states the following attributes need to be sent when applying a CoA, which I have created and applied as an enforcement - but these are all RADIUS:IETF attributes. What's the correlation between the vendor set in devices and the RADIUS attributes which are actually being used in the enforcement? If the attributes used within the enforcement are applicable to the device, I should be able to apply them manually in access tracker? 

@chulcher thanks, however, I have already attempted this with the same result. Using IETF as the vendor name for the device and using the system defined enforcement profile [ArubaOS Wireless - Terminate Session] which uses a RADIUS:IETF attribute: 

Unless you're referring to something else? Also tried using IETF as the vendor name and one of the custom Cambium enforcements (recommended in their documentation), which also didn't work. All of which use standard RADIUS:IETF attributes. 

Set the device vendor to IETF and use the standard IETF disconnect if that works, but the only way to get a DynAuth action to show in the Access Tracker is to get the Vendor assigned to the network device and the DynAuth profile to match.

Thanks @chulcher.

Even after adding Cambium as a custom entry into the ClearPass RADIUS dictionary, using the .XML above, and applying it to the device IP address as the vendor in Config > Network > Devices, I'm still getting the error on the access tracker when attempting to use a dynamic auth'z manually. The enforcement profiles stated in the Cambium documentation are in use, which use standard RADIUS:IETF attributes. 

So either the correct enforcement is being applied and Cambium should be able to acknowledge the attributes used in the enforcement, or ClearPass cannot send the CoA/ disconnect as it still doesn't recognise 'Cambium' as a vendor in order to send the CoA/ disconnect in the first place. 

Any ideas? 

When you set the Vendor under Network Device the relevant CoA options for that device are filtered based on that Vendor.  For instance, set the device to Aruba and you'll see the Aruba CoA profiles as options when attempting a manual CoA operation.

The CoA profile doesn't have to have anything vendor specific in the definition other than the Vendor ID, all of the attributes can be from IETF.

Having some issues sending CoA disconnects to Cambium APs managed by a cnMaestro cloud controller, from ClearPass. 

Cambium is not natively configured within ClearPass, so I have been using IETF as a vendor when the devices are added. This is returned under the access tracker 'change status' option when attempting to submit the CoA manually. 

I have since added Cambium to the RADIUS dictionary using the following XML and added it under vendor for the Cambium AP mgmt subnet under devices in ClearPass (I had to add some Cambium VSA's to the code, otherwise it would not add correctly, even though I will not be using the Cambium VSAs when it comes to the CoA). 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Wed Apr 23 15:05:32 BST 2025" version="6.11"/>
  <Dictionaries>
    <Vendor vendorEnabled="true" prefix="Cambium" name="Radius:Cambium" id="17713">
      <RadiusAttributes>
        <Attribute profile="in out" type="String" name="Cambium-VLAN-PoolID" id="157"/>
      </RadiusAttributes>
    </Vendor>
  </Dictionaries>
</TipsContents>

However, the Cambium documentation states the following attributes need to be sent when applying a CoA, which I have created and applied as an enforcement - but these are all RADIUS:IETF attributes. What's the correlation between the vendor set in devices and the RADIUS attributes which are actually being used in the enforcement? If the attributes used within the enforcement are applicable to the device, I should be able to apply them manually in access tracker? 

Export the network device and the DynAuth template to XML, what vendor ID is configured on each?

@chulcher thanks, however, I have already attempted this with the same result. Using IETF as the vendor name for the device and using the system defined enforcement profile [ArubaOS Wireless - Terminate Session] which uses a RADIUS:IETF attribute: 

Unless you're referring to something else? Also tried using IETF as the vendor name and one of the custom Cambium enforcements (recommended in their documentation), which also didn't work. All of which use standard RADIUS:IETF attributes. 

Set the device vendor to IETF and use the standard IETF disconnect if that works, but the only way to get a DynAuth action to show in the Access Tracker is to get the Vendor assigned to the network device and the DynAuth profile to match.

Thanks @chulcher.

Even after adding Cambium as a custom entry into the ClearPass RADIUS dictionary, using the .XML above, and applying it to the device IP address as the vendor in Config > Network > Devices, I'm still getting the error on the access tracker when attempting to use a dynamic auth'z manually. The enforcement profiles stated in the Cambium documentation are in use, which use standard RADIUS:IETF attributes. 

So either the correct enforcement is being applied and Cambium should be able to acknowledge the attributes used in the enforcement, or ClearPass cannot send the CoA/ disconnect as it still doesn't recognise 'Cambium' as a vendor in order to send the CoA/ disconnect in the first place. 

Any ideas? 

When you set the Vendor under Network Device the relevant CoA options for that device are filtered based on that Vendor.  For instance, set the device to Aruba and you'll see the Aruba CoA profiles as options when attempting a manual CoA operation.

The CoA profile doesn't have to have anything vendor specific in the definition other than the Vendor ID, all of the attributes can be from IETF.

Having some issues sending CoA disconnects to Cambium APs managed by a cnMaestro cloud controller, from ClearPass. 

Cambium is not natively configured within ClearPass, so I have been using IETF as a vendor when the devices are added. This is returned under the access tracker 'change status' option when attempting to submit the CoA manually. 

I have since added Cambium to the RADIUS dictionary using the following XML and added it under vendor for the Cambium AP mgmt subnet under devices in ClearPass (I had to add some Cambium VSA's to the code, otherwise it would not add correctly, even though I will not be using the Cambium VSAs when it comes to the CoA). 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Wed Apr 23 15:05:32 BST 2025" version="6.11"/>
  <Dictionaries>
    <Vendor vendorEnabled="true" prefix="Cambium" name="Radius:Cambium" id="17713">
      <RadiusAttributes>
        <Attribute profile="in out" type="String" name="Cambium-VLAN-PoolID" id="157"/>
      </RadiusAttributes>
    </Vendor>
  </Dictionaries>
</TipsContents>

However, the Cambium documentation states the following attributes need to be sent when applying a CoA, which I have created and applied as an enforcement - but these are all RADIUS:IETF attributes. What's the correlation between the vendor set in devices and the RADIUS attributes which are actually being used in the enforcement? If the attributes used within the enforcement are applicable to the device, I should be able to apply them manually in access tracker? 

@chulcher 

When exporting the device the .xml output contains vendorName="Cambium" - there's no actual reference to the Vendor ID. 

Then within the enforcement profile the .xml output is shown below. Which contains the output vendorId="14823". I guess this will have to change... is it a simple case of editing the vendor ID within this enforcement and replacing it with the Cambium vendor ID, then importing it back into ClearPass? 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Fri May 02 13:45:40 BST 2025" version="6.11"/>
  <RadiusCoAEnfProfiles>
    <RadiusCoAEnfProfile description="" name="Cambium - CoA via AP" action="Disconnect" template="Terminate-Session-Aruba">
      <AttributeList>
        <Attribute displayValue="%{Radius:IETF:User-Name}" value="%{Radius:IETF:User-Name}" name="User-Name" type="Radius:IETF"/>
        <Attribute displayValue="%{Radius:IETF:Calling-Station-Id}" value="%{Radius:IETF:Calling-Station-Id}" name="Calling-Station-Id" type="Radius:IETF"/>
        <Attribute displayValue="%{Radius:IETF:NAS-Identifier}" value="%{Radius:IETF:NAS-Identifier}" name="NAS-Identifier" type="Radius:IETF"/>
      </AttributeList>
    </RadiusCoAEnfProfile>
  </RadiusCoAEnfProfiles>
  <TagDictionaries>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="simultaneous_use" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="do_expire" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="expire_postlogin" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="Visitor Name" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="expired_notify_status" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="remote_addr" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="sponsor_profile_name" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="source" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="Create Time" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_roles" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_groups" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_group_emails" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_@odata.context" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_userPrincipalName" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_accountEnabled" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="expire_usage" entityName="GuestUser"/>
  </TagDictionaries>
  <RadiusCOATemplates>
    <RadiusCOATemplate vendorId="14823" templateType="Disconnect" displayName="ArubaOS Wireless - Terminate Session" name="Terminate-Session-Aruba">
      <AttributeList>
        <Attribute inputRequired="Not_Required" value="%{Radius:IETF:Calling-Station-Id}" name="Calling-Station-Id" type="Radius:IETF"/>
      </AttributeList>
    </RadiusCOATemplate>
  </RadiusCOATemplates>
</TipsContents>

Export the network device and the DynAuth template to XML, what vendor ID is configured on each?

@chulcher thanks, however, I have already attempted this with the same result. Using IETF as the vendor name for the device and using the system defined enforcement profile [ArubaOS Wireless - Terminate Session] which uses a RADIUS:IETF attribute: 

Unless you're referring to something else? Also tried using IETF as the vendor name and one of the custom Cambium enforcements (recommended in their documentation), which also didn't work. All of which use standard RADIUS:IETF attributes. 

Set the device vendor to IETF and use the standard IETF disconnect if that works, but the only way to get a DynAuth action to show in the Access Tracker is to get the Vendor assigned to the network device and the DynAuth profile to match.

Thanks @chulcher.

Even after adding Cambium as a custom entry into the ClearPass RADIUS dictionary, using the .XML above, and applying it to the device IP address as the vendor in Config > Network > Devices, I'm still getting the error on the access tracker when attempting to use a dynamic auth'z manually. The enforcement profiles stated in the Cambium documentation are in use, which use standard RADIUS:IETF attributes. 

So either the correct enforcement is being applied and Cambium should be able to acknowledge the attributes used in the enforcement, or ClearPass cannot send the CoA/ disconnect as it still doesn't recognise 'Cambium' as a vendor in order to send the CoA/ disconnect in the first place. 

Any ideas? 

When you set the Vendor under Network Device the relevant CoA options for that device are filtered based on that Vendor.  For instance, set the device to Aruba and you'll see the Aruba CoA profiles as options when attempting a manual CoA operation.

The CoA profile doesn't have to have anything vendor specific in the definition other than the Vendor ID, all of the attributes can be from IETF.

Having some issues sending CoA disconnects to Cambium APs managed by a cnMaestro cloud controller, from ClearPass. 

Cambium is not natively configured within ClearPass, so I have been using IETF as a vendor when the devices are added. This is returned under the access tracker 'change status' option when attempting to submit the CoA manually. 

I have since added Cambium to the RADIUS dictionary using the following XML and added it under vendor for the Cambium AP mgmt subnet under devices in ClearPass (I had to add some Cambium VSA's to the code, otherwise it would not add correctly, even though I will not be using the Cambium VSAs when it comes to the CoA). 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Wed Apr 23 15:05:32 BST 2025" version="6.11"/>
  <Dictionaries>
    <Vendor vendorEnabled="true" prefix="Cambium" name="Radius:Cambium" id="17713">
      <RadiusAttributes>
        <Attribute profile="in out" type="String" name="Cambium-VLAN-PoolID" id="157"/>
      </RadiusAttributes>
    </Vendor>
  </Dictionaries>
</TipsContents>

However, the Cambium documentation states the following attributes need to be sent when applying a CoA, which I have created and applied as an enforcement - but these are all RADIUS:IETF attributes. What's the correlation between the vendor set in devices and the RADIUS attributes which are actually being used in the enforcement? If the attributes used within the enforcement are applicable to the device, I should be able to apply them manually in access tracker? 

Right, that requires another view to get to.

If you're creating a DynAuth template for Cambium, first export an existing DynAuth template of the same type (disconnect or CoA) and then modify the contents to match everything Cambium, including the vendor ID.  You can then use that template as the basis for creating an enforcement profile.

@chulcher 

When exporting the device the .xml output contains vendorName="Cambium" - there's no actual reference to the Vendor ID. 

Then within the enforcement profile the .xml output is shown below. Which contains the output vendorId="14823". I guess this will have to change... is it a simple case of editing the vendor ID within this enforcement and replacing it with the Cambium vendor ID, then importing it back into ClearPass? 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Fri May 02 13:45:40 BST 2025" version="6.11"/>
  <RadiusCoAEnfProfiles>
    <RadiusCoAEnfProfile description="" name="Cambium - CoA via AP" action="Disconnect" template="Terminate-Session-Aruba">
      <AttributeList>
        <Attribute displayValue="%{Radius:IETF:User-Name}" value="%{Radius:IETF:User-Name}" name="User-Name" type="Radius:IETF"/>
        <Attribute displayValue="%{Radius:IETF:Calling-Station-Id}" value="%{Radius:IETF:Calling-Station-Id}" name="Calling-Station-Id" type="Radius:IETF"/>
        <Attribute displayValue="%{Radius:IETF:NAS-Identifier}" value="%{Radius:IETF:NAS-Identifier}" name="NAS-Identifier" type="Radius:IETF"/>
      </AttributeList>
    </RadiusCoAEnfProfile>
  </RadiusCoAEnfProfiles>
  <TagDictionaries>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="simultaneous_use" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="do_expire" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="expire_postlogin" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="Visitor Name" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="expired_notify_status" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="remote_addr" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="sponsor_profile_name" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="source" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="Create Time" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_roles" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_groups" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_group_emails" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_@odata.context" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_userPrincipalName" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_accountEnabled" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="expire_usage" entityName="GuestUser"/>
  </TagDictionaries>
  <RadiusCOATemplates>
    <RadiusCOATemplate vendorId="14823" templateType="Disconnect" displayName="ArubaOS Wireless - Terminate Session" name="Terminate-Session-Aruba">
      <AttributeList>
        <Attribute inputRequired="Not_Required" value="%{Radius:IETF:Calling-Station-Id}" name="Calling-Station-Id" type="Radius:IETF"/>
      </AttributeList>
    </RadiusCOATemplate>
  </RadiusCOATemplates>
</TipsContents>

Export the network device and the DynAuth template to XML, what vendor ID is configured on each?

@chulcher thanks, however, I have already attempted this with the same result. Using IETF as the vendor name for the device and using the system defined enforcement profile [ArubaOS Wireless - Terminate Session] which uses a RADIUS:IETF attribute: 

Unless you're referring to something else? Also tried using IETF as the vendor name and one of the custom Cambium enforcements (recommended in their documentation), which also didn't work. All of which use standard RADIUS:IETF attributes. 

Set the device vendor to IETF and use the standard IETF disconnect if that works, but the only way to get a DynAuth action to show in the Access Tracker is to get the Vendor assigned to the network device and the DynAuth profile to match.

Thanks @chulcher.

Even after adding Cambium as a custom entry into the ClearPass RADIUS dictionary, using the .XML above, and applying it to the device IP address as the vendor in Config > Network > Devices, I'm still getting the error on the access tracker when attempting to use a dynamic auth'z manually. The enforcement profiles stated in the Cambium documentation are in use, which use standard RADIUS:IETF attributes. 

So either the correct enforcement is being applied and Cambium should be able to acknowledge the attributes used in the enforcement, or ClearPass cannot send the CoA/ disconnect as it still doesn't recognise 'Cambium' as a vendor in order to send the CoA/ disconnect in the first place. 

Any ideas? 

When you set the Vendor under Network Device the relevant CoA options for that device are filtered based on that Vendor.  For instance, set the device to Aruba and you'll see the Aruba CoA profiles as options when attempting a manual CoA operation.

The CoA profile doesn't have to have anything vendor specific in the definition other than the Vendor ID, all of the attributes can be from IETF.

Having some issues sending CoA disconnects to Cambium APs managed by a cnMaestro cloud controller, from ClearPass. 

Cambium is not natively configured within ClearPass, so I have been using IETF as a vendor when the devices are added. This is returned under the access tracker 'change status' option when attempting to submit the CoA manually. 

I have since added Cambium to the RADIUS dictionary using the following XML and added it under vendor for the Cambium AP mgmt subnet under devices in ClearPass (I had to add some Cambium VSA's to the code, otherwise it would not add correctly, even though I will not be using the Cambium VSAs when it comes to the CoA). 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Wed Apr 23 15:05:32 BST 2025" version="6.11"/>
  <Dictionaries>
    <Vendor vendorEnabled="true" prefix="Cambium" name="Radius:Cambium" id="17713">
      <RadiusAttributes>
        <Attribute profile="in out" type="String" name="Cambium-VLAN-PoolID" id="157"/>
      </RadiusAttributes>
    </Vendor>
  </Dictionaries>
</TipsContents>

However, the Cambium documentation states the following attributes need to be sent when applying a CoA, which I have created and applied as an enforcement - but these are all RADIUS:IETF attributes. What's the correlation between the vendor set in devices and the RADIUS attributes which are actually being used in the enforcement? If the attributes used within the enforcement are applicable to the device, I should be able to apply them manually in access tracker? 

@chulcher Ah, yes, I see what you mean. I will do that and do some testing. Thank you. 

Right, that requires another view to get to.

If you're creating a DynAuth template for Cambium, first export an existing DynAuth template of the same type (disconnect or CoA) and then modify the contents to match everything Cambium, including the vendor ID.  You can then use that template as the basis for creating an enforcement profile.

@chulcher 

When exporting the device the .xml output contains vendorName="Cambium" - there's no actual reference to the Vendor ID. 

Then within the enforcement profile the .xml output is shown below. Which contains the output vendorId="14823". I guess this will have to change... is it a simple case of editing the vendor ID within this enforcement and replacing it with the Cambium vendor ID, then importing it back into ClearPass? 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Fri May 02 13:45:40 BST 2025" version="6.11"/>
  <RadiusCoAEnfProfiles>
    <RadiusCoAEnfProfile description="" name="Cambium - CoA via AP" action="Disconnect" template="Terminate-Session-Aruba">
      <AttributeList>
        <Attribute displayValue="%{Radius:IETF:User-Name}" value="%{Radius:IETF:User-Name}" name="User-Name" type="Radius:IETF"/>
        <Attribute displayValue="%{Radius:IETF:Calling-Station-Id}" value="%{Radius:IETF:Calling-Station-Id}" name="Calling-Station-Id" type="Radius:IETF"/>
        <Attribute displayValue="%{Radius:IETF:NAS-Identifier}" value="%{Radius:IETF:NAS-Identifier}" name="NAS-Identifier" type="Radius:IETF"/>
      </AttributeList>
    </RadiusCoAEnfProfile>
  </RadiusCoAEnfProfiles>
  <TagDictionaries>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="simultaneous_use" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="do_expire" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="expire_postlogin" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="Visitor Name" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="expired_notify_status" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="remote_addr" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="sponsor_profile_name" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="source" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="Create Time" entityName="GuestUser"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_roles" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_groups" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_group_emails" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_@odata.context" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_userPrincipalName" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="social_accountEnabled" entityName="Endpoint"/>
    <TagDictionary allowMultiple="false" mandatory="false" dataType="String" attributeName="expire_usage" entityName="GuestUser"/>
  </TagDictionaries>
  <RadiusCOATemplates>
    <RadiusCOATemplate vendorId="14823" templateType="Disconnect" displayName="ArubaOS Wireless - Terminate Session" name="Terminate-Session-Aruba">
      <AttributeList>
        <Attribute inputRequired="Not_Required" value="%{Radius:IETF:Calling-Station-Id}" name="Calling-Station-Id" type="Radius:IETF"/>
      </AttributeList>
    </RadiusCOATemplate>
  </RadiusCOATemplates>
</TipsContents>

Export the network device and the DynAuth template to XML, what vendor ID is configured on each?

@chulcher thanks, however, I have already attempted this with the same result. Using IETF as the vendor name for the device and using the system defined enforcement profile [ArubaOS Wireless - Terminate Session] which uses a RADIUS:IETF attribute: 

Unless you're referring to something else? Also tried using IETF as the vendor name and one of the custom Cambium enforcements (recommended in their documentation), which also didn't work. All of which use standard RADIUS:IETF attributes. 

Set the device vendor to IETF and use the standard IETF disconnect if that works, but the only way to get a DynAuth action to show in the Access Tracker is to get the Vendor assigned to the network device and the DynAuth profile to match.

Thanks @chulcher.

Even after adding Cambium as a custom entry into the ClearPass RADIUS dictionary, using the .XML above, and applying it to the device IP address as the vendor in Config > Network > Devices, I'm still getting the error on the access tracker when attempting to use a dynamic auth'z manually. The enforcement profiles stated in the Cambium documentation are in use, which use standard RADIUS:IETF attributes. 

So either the correct enforcement is being applied and Cambium should be able to acknowledge the attributes used in the enforcement, or ClearPass cannot send the CoA/ disconnect as it still doesn't recognise 'Cambium' as a vendor in order to send the CoA/ disconnect in the first place. 

Any ideas? 

When you set the Vendor under Network Device the relevant CoA options for that device are filtered based on that Vendor.  For instance, set the device to Aruba and you'll see the Aruba CoA profiles as options when attempting a manual CoA operation.

The CoA profile doesn't have to have anything vendor specific in the definition other than the Vendor ID, all of the attributes can be from IETF.

Having some issues sending CoA disconnects to Cambium APs managed by a cnMaestro cloud controller, from ClearPass. 

Cambium is not natively configured within ClearPass, so I have been using IETF as a vendor when the devices are added. This is returned under the access tracker 'change status' option when attempting to submit the CoA manually. 

I have since added Cambium to the RADIUS dictionary using the following XML and added it under vendor for the Cambium AP mgmt subnet under devices in ClearPass (I had to add some Cambium VSA's to the code, otherwise it would not add correctly, even though I will not be using the Cambium VSAs when it comes to the CoA). 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Wed Apr 23 15:05:32 BST 2025" version="6.11"/>
  <Dictionaries>
    <Vendor vendorEnabled="true" prefix="Cambium" name="Radius:Cambium" id="17713">
      <RadiusAttributes>
        <Attribute profile="in out" type="String" name="Cambium-VLAN-PoolID" id="157"/>
      </RadiusAttributes>
    </Vendor>
  </Dictionaries>
</TipsContents>

However, the Cambium documentation states the following attributes need to be sent when applying a CoA, which I have created and applied as an enforcement - but these are all RADIUS:IETF attributes. What's the correlation between the vendor set in devices and the RADIUS attributes which are actually being used in the enforcement? If the attributes used within the enforcement are applicable to the device, I should be able to apply them manually in access tracker?