Hi Johannes.
Yeah. I see the same behaviour on several switches. No response from server but CoA works as expected.
Original Message:
Sent: Oct 06, 2025 07:09 AM
From: railway
Subject: Radius CoA doesn't work when using radsec
Hello together,
as written before, you'll get an update today:
- Switched the config to IP adress instead of FQDN using the config provided by Gorazd
- Had a deeper look at the switch, either logs and also "debug all", it's working now, client gets disconnected, just Clearpass still shows "No response from network device"
Client definitely re-authenticates, it's visible in access tracker - Firewall allows 2083 tcp in both directions, don't see any connections sourcing Clearpass, but expected that as the switch initiates the conncetion
- Re-checked the certificates, the one for CPPM contains dns-name, IP-Address, IP as DNS-Address, Key usage for TLS Server Authenticaton and EAP over LAN
Cert for Switch is valid for TLS Client Authentication - Disabling certificate validation for the radsec device makes no change
- radsec connection stays up at both ends
- it makes no difference if I use radius tracking or not
As it is now just an annoying optical bug, I'll open a case with TAC as soon as we've got some spare time, at least, we have an almost working configuration right now :-)
Big thanks for your kind support and config snippets!
Original Message:
Sent: Oct 02, 2025 04:57 AM
From: GorazdKikelj
Subject: Radius CoA doesn't work when using radsec
Hi @railway
You should also check in Event Viewer for IPsec tunnel UP/DOWN events.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2025
Original Message:
Sent: Oct 02, 2025 04:26 AM
From: railway
Subject: Radius CoA doesn't work when using radsec
Hello Carson,
correct, it's 10.11.26 on AOS-S
We've tested everything before, the productive environment still runs with classic radius without any issues. The test switch with radsec uses the same config as the productive one, just differs in radius server settings.
Event viewer doesn't show any message after running CoA on Webgui. We use the same services for productive and radsec.
As mentioned in previous post, I guess it's a config issue on the switch, I'll check radius tracking, open the firewall port and the config samples from Gorazd on Monday. If everything fails, I'll grab a packetcapture and open a case.
Original Message:
Sent: Sep 30, 2025 09:46 AM
From: chulcher
Subject: Radius CoA doesn't work when using radsec
You state the switch is a 2930F, that model runs AOS-S, I'm guessing you mean 16.11.26?
Have you tested everything without RadSec enabled first? Have you looked at the event viewer to see if there is anything interesting or relevant?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Sep 30, 2025 08:39 AM
From: railway
Subject: Radius CoA doesn't work when using radsec
Hello together,
first of all: big thanks for your quick answers! I'm gonna test it on Monday onsite and keep you updated :-) If nothing helps, I'll do a packet capture at the switch uplink and open a case.
@GorazdKikelj: Good to know you have a working reference, so I can expect a config issue in my setup, that makes troubleshooting lots easier. I've got same firmware as you, we just started config on 10.11.0026, shouldn't be that different. Switch has been factory defaulted before. I'll check with the radius tracking, it's on the bucket list anyway.
@muhittin: The certificate part works as expected, CPPM and switch got a cert from a trusted CA, both end show connection as up. I'll add another firewall rule from Clearpass to switch, current one's vice versa, maybe connection attempt gets dropped without log in firewall.
Original Message:
Sent: Sep 30, 2025 03:49 AM
From: GorazdKikelj
Subject: Radius CoA doesn't work when using radsec
To mitigate tunnel closure you should deploy radius tracking option. Switch will trigger dummy authorization request to keep tunnel open.
You can create a tracker user account and service on Clearpass so you won't get all test requests in red :-) It really doesn't matter if request is accept or reject as switch is only looking for radius response.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2025
Original Message:
Sent: Sep 30, 2025 03:31 AM
From: muhittin
Subject: Radius CoA doesn't work when using radsec
Hello,
In addition to the above explanations, if you are performing RADsec authentication, you will need a CA certificate on both the switch and ClearPass sides, and two-way authentication must be performed.
RadSec carries authentication over a single TCP 2083 tunnel; do not expect a separate UDP/3799. It is sent within the same TLS session opened by the CoA (switch). If the switch is not maintaining an open RadSec session at that moment, ClearPass cannot push the CoA and you will see "No response from network device."
It will work properly if you allow the following port:
TCP/2083 (in both directions) must be allowed on the firewall. RadSec CoA does not use UDP/3799.
Original Message:
Sent: Sep 29, 2025 09:32 AM
From: railway
Subject: Radius CoA doesn't work when using radsec
Hello together,
I've got a question regarding radsec and radius change of authorization.
Current Scenario:
- Campus using Aruba 2930F switches version 10.11.0026 and Clearpass 6.12.6
- classic Radius without radsec works well, including CoA
- we're testing radsec with one non-productive switch, radsec itself works well, only CoA doesn't work
CoA is enabled for network device within Clearpass and also in switch config using "radius-server host <cppm.fqdn> tls dyn-authorization.
When trying to run a port-bounce with CoA, I get an error, stating "No response from network device", switch doesn't show any action.
Does anybody know about any general limitations or issue with the switches for CoA over radsec? I checked the relase notes for both, but no related issue found. Firewall doesn't discard any packet
Greetings Railway
-------------------------------------------