Security

Getting the following errors when attempting a CoA from ClearPass -> Aruba Controller. ClearPass appears to send the disconnect request but no disconnect acknowledgement in response.

When attempting manually – the following appears 'no response from network device'. Attempted multiple Aruba wireless CoA profiles. 

I can see in a pcap that the CoA disconnect appears to be happening but get 'destination unreachable (port unreachable)' between controller and ClearPass. Controller = 192.168.41.245 (MM) and ClearPass = 192.168.41.250. 

I have the RFC 3576 server specified in the AAA profile on the controller:

Here is the RFC 3576 server settings:

I have even created ACLs in the user roles for UDP 3799 permit from controller (MM) and controller (MC) to and from ClearPass.

Vendor name Aruba and port 3799 enabled in ClearPass devices for MM and MC.

Even created a firewall policy on the contoller MM and MC to permit UDP 3799. Not sure why there are hits on the policy, which is slightly confusing considering I'm testing a single client.

I have been through the FW settings numerous times with the customer and it appears that everything is open and permit all is in place. 

Anything obvious missing? 

Try to change the format of the MAC Address - Calling-Station-ID Settings under the AAA configuration in the controller.
I think that the controller does not understand the format without Colon, so when you send a COA, it will return the error you are seeing because that mac does not exist. It is expecting the message to be xx:xx:xx:xx:xx:xx

Maybe this post would be helpful. 

------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.

Original Message:
Sent: May 23, 2025 11:42 AM
From: Adam Newson
Subject: RADIUS CoA ClearPass/ AOS8 controller issues

Getting the following errors when attempting a CoA from ClearPass -> Aruba Controller. ClearPass appears to send the disconnect request but no disconnect acknowledgement in response.

When attempting manually – the following appears 'no response from network device'. Attempted multiple Aruba wireless CoA profiles. 

I can see in a pcap that the CoA disconnect appears to be happening but get 'destination unreachable (port unreachable)' between controller and ClearPass. Controller = 192.168.41.245 (MM) and ClearPass = 192.168.41.250. 

I have the RFC 3576 server specified in the AAA profile on the controller:

Here is the RFC 3576 server settings:

I have even created ACLs in the user roles for UDP 3799 permit from controller (MM) and controller (MC) to and from ClearPass.

Vendor name Aruba and port 3799 enabled in ClearPass devices for MM and MC.

Even created a firewall policy on the contoller MM and MC to permit UDP 3799. Not sure why there are hits on the policy, which is slightly confusing considering I'm testing a single client.

I have been through the FW settings numerous times with the customer and it appears that everything is open and permit all is in place. 

Anything obvious missing? 

@shpat thanks for that. After select the MAC address delimiter to include the colon as suggested above, it doesn't appear to have made a difference. Still 'no response from network device'. Although, the MAC shown below does now appear to include the colon delimiter. Also attempted selecting the lower case option, but I don't think the controller would care about this? Any more thoughts? 

Try to change the format of the MAC Address - Calling-Station-ID Settings under the AAA configuration in the controller.
I think that the controller does not understand the format without Colon, so when you send a COA, it will return the error you are seeing because that mac does not exist. It is expecting the message to be xx:xx:xx:xx:xx:xx

Maybe this post would be helpful. 

------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.

Original Message:
Sent: May 23, 2025 11:42 AM
From: Adam Newson
Subject: RADIUS CoA ClearPass/ AOS8 controller issues

Getting the following errors when attempting a CoA from ClearPass -> Aruba Controller. ClearPass appears to send the disconnect request but no disconnect acknowledgement in response.

When attempting manually – the following appears 'no response from network device'. Attempted multiple Aruba wireless CoA profiles. 

I can see in a pcap that the CoA disconnect appears to be happening but get 'destination unreachable (port unreachable)' between controller and ClearPass. Controller = 192.168.41.245 (MM) and ClearPass = 192.168.41.250. 

I have the RFC 3576 server specified in the AAA profile on the controller:

Here is the RFC 3576 server settings:

I have even created ACLs in the user roles for UDP 3799 permit from controller (MM) and controller (MC) to and from ClearPass.

Vendor name Aruba and port 3799 enabled in ClearPass devices for MM and MC.

Even created a firewall policy on the contoller MM and MC to permit UDP 3799. Not sure why there are hits on the policy, which is slightly confusing considering I'm testing a single client.

I have been through the FW settings numerous times with the customer and it appears that everything is open and permit all is in place. 

Anything obvious missing? 

Just out of curiosity, is the NAS IP on the controller configured with the IP of the controller on the Configuration>Authentication>Advance>RADIUS Client> NAS IPV4?

Also i noticed you said:"...Controller = 192.168.41.245 (MM)" , in Aruba OS 8.x users are Anchored in the Mobility Controllers not on the Mobility Masters. So in this case, you should send a disconnect message to the controller where the User is Anchored. 

@shpat thanks for that. After select the MAC address delimiter to include the colon as suggested above, it doesn't appear to have made a difference. Still 'no response from network device'. Although, the MAC shown below does now appear to include the colon delimiter. Also attempted selecting the lower case option, but I don't think the controller would care about this? Any more thoughts? 

Try to change the format of the MAC Address - Calling-Station-ID Settings under the AAA configuration in the controller.
I think that the controller does not understand the format without Colon, so when you send a COA, it will return the error you are seeing because that mac does not exist. It is expecting the message to be xx:xx:xx:xx:xx:xx

Maybe this post would be helpful. 

------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.

Original Message:
Sent: May 23, 2025 11:42 AM
From: Adam Newson
Subject: RADIUS CoA ClearPass/ AOS8 controller issues

Getting the following errors when attempting a CoA from ClearPass -> Aruba Controller. ClearPass appears to send the disconnect request but no disconnect acknowledgement in response.

When attempting manually – the following appears 'no response from network device'. Attempted multiple Aruba wireless CoA profiles. 

I can see in a pcap that the CoA disconnect appears to be happening but get 'destination unreachable (port unreachable)' between controller and ClearPass. Controller = 192.168.41.245 (MM) and ClearPass = 192.168.41.250. 

I have the RFC 3576 server specified in the AAA profile on the controller:

Here is the RFC 3576 server settings:

I have even created ACLs in the user roles for UDP 3799 permit from controller (MM) and controller (MC) to and from ClearPass.

Vendor name Aruba and port 3799 enabled in ClearPass devices for MM and MC.

Even created a firewall policy on the contoller MM and MC to permit UDP 3799. Not sure why there are hits on the policy, which is slightly confusing considering I'm testing a single client.

I have been through the FW settings numerous times with the customer and it appears that everything is open and permit all is in place. 

Anything obvious missing? 

Getting the following errors when attempting a CoA from ClearPass -> Aruba Controller. ClearPass appears to send the disconnect request but no disconnect acknowledgement in response.

When attempting manually – the following appears 'no response from network device'. Attempted multiple Aruba wireless CoA profiles. 

I can see in a pcap that the CoA disconnect appears to be happening but get 'destination unreachable (port unreachable)' between controller and ClearPass. Controller = 192.168.41.245 (MM) and ClearPass = 192.168.41.250. 

I have the RFC 3576 server specified in the AAA profile on the controller:

Here is the RFC 3576 server settings:

I have even created ACLs in the user roles for UDP 3799 permit from controller (MM) and controller (MC) to and from ClearPass.

Vendor name Aruba and port 3799 enabled in ClearPass devices for MM and MC.

Even created a firewall policy on the contoller MM and MC to permit UDP 3799. Not sure why there are hits on the policy, which is slightly confusing considering I'm testing a single client.

I have been through the FW settings numerous times with the customer and it appears that everything is open and permit all is in place. 

Anything obvious missing?