As it is now just an annoying optical bug, I'll open a case with TAC as soon as we've got some spare time, at least, we have an almost working configuration right now :-)
-------------------------------------------
Original Message:
Sent: Oct 02, 2025 04:57 AM
From: GorazdKikelj
Subject: Radius CoA doesn't work when using radsec
Hi @JH-865c91
You should also check in Event Viewer for IPsec tunnel UP/DOWN events.

Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2025
------------------------------
Original Message:
Sent: Oct 02, 2025 04:26 AM
From: railway
Subject: Radius CoA doesn't work when using radsec
Hello Carson,
correct, it's 10.11.26 on AOS-S
We've tested everything before, the productive environment still runs with classic radius without any issues. The test switch with radsec uses the same config as the productive one, just differs in radius server settings.
Event viewer doesn't show any message after running CoA on Webgui. We use the same services for productive and radsec.
As mentioned in previous post, I guess it's a config issue on the switch, I'll check radius tracking, open the firewall port and the config samples from Gorazd on Monday. If everything fails, I'll grab a packetcapture and open a case.
Original Message:
Sent: Sep 30, 2025 09:46 AM
From: chulcher
Subject: Radius CoA doesn't work when using radsec
You state the switch is a 2930F, that model runs AOS-S, I'm guessing you mean 16.11.26?
Have you tested everything without RadSec enabled first? Have you looked at the event viewer to see if there is anything interesting or relevant?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Sep 30, 2025 08:39 AM
From: railway
Subject: Radius CoA doesn't work when using radsec
Hello together,
first of all: big thanks for your quick answers! I'm gonna test it on Monday onsite and keep you updated :-) If nothing helps, I'll do a packet capture at the switch uplink and open a case.
@GK-c34688: Good to know you have a working reference, so I can expect a config issue in my setup, that makes troubleshooting lots easier. I've got same firmware as you, we just started config on 10.11.0026, shouldn't be that different. Switch has been factory defaulted before. I'll check with the radius tracking, it's on the bucket list anyway.
@MD-6e8f66: The certificate part works as expected, CPPM and switch got a cert from a trusted CA, both end show connection as up. I'll add another firewall rule from Clearpass to switch, current one's vice versa, maybe connection attempt gets dropped without log in firewall.
Original Message:
Sent: Sep 30, 2025 03:49 AM
From: GorazdKikelj
Subject: Radius CoA doesn't work when using radsec
To mitigate tunnel closure you should deploy radius tracking option. Switch will trigger dummy authorization request to keep tunnel open.
You can create a tracker user account and service on Clearpass so you won't get all test requests in red :-) It really doesn't matter if request is accept or reject as switch is only looking for radius response.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2025
Original Message:
Sent: Sep 30, 2025 03:31 AM
From: muhittin
Subject: Radius CoA doesn't work when using radsec
Hello,
In addition to the above explanations, if you are performing RADsec authentication, you will need a CA certificate on both the switch and ClearPass sides, and two-way authentication must be performed.
RadSec carries authentication over a single TCP 2083 tunnel; do not expect a separate UDP/3799. It is sent within the same TLS session opened by the CoA (switch). If the switch is not maintaining an open RadSec session at that moment, ClearPass cannot push the CoA and you will see "No response from network device."
It will work properly if you allow the following port:
TCP/2083 (in both directions) must be allowed on the firewall. RadSec CoA does not use UDP/3799.