Security

ClearPass 6.4.4

ArubaOS 6.4.2.3

 

Issue:  ClearPass Access Tracker > Change Status > RADIUS COA > [Aruba Terminate Session]  ClearPass gives a successful Radius terminate session message, but the Client/Controller does not respond.

 

I have 2 services running on ClearPass to enable 802.1x with Aruba controller, with health checks.  On service for 802.1x with an enforcement policy to include a posture rule/condition.  I also have the webauth service for OnGuard.

Initial sign-on and authentication to the network works beautifully.  

I have the OnGuard set to check if the client has a firewall enabled.  If it fails the health check, it assigns a role to only access a webpage that the OnGuard can be downloaded or use the dissolvable app.  Once the heath is checked, and a healthy client is verified, a second authorization is forced, and CleaPass correctly assigns a new role for full access.

 

Now I want make sure OnGurad can detect changes, auto remediate, etc.

I'm also just checking the functionality of Radius COA.

(Auto-remediate isn't working either, but I'm thinking the issue with a manual terminate is what I need to fix to help out with that issue.)

 

When forcing a terminate session via the access tracker/change status, I get a successful message but no behaviour is seen from the the client or Controller.

 

This is my first attempt to validate this for a POC, so I appreciate any help or obvious thing I'm overlooking.

 

I've tried opening up the Aruba firewall rules to allow-all on every role, just to make sure nothing is blocking or misconfigured.  I have also tried disabling the firewall on my client and sending the terminate session.  All behavior is the same as above.

 

Thanks,

Colin King 

 

Based on what you are describing , It looks like the CoA (Aruba Terminate Session) is working as expected is able to apply a CoA based on the posture (Health Service/Enforcement Policy) and then device reauth again and gets the right access based on the posture (802.1X Authentication Service /Enfocerment Policy) .

 

If you are trying to test when a device healthy and then becomes unhealthy because the user disabled the firewall functionality , it takes up 1 minute for the Onguard agent to detect this:

https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/OnGuard-Check-Interval 

 

Also make sure you allow ports 6658 TCP/443 on the role that user is attached  so that the onguard agent can communicate properly with the ClearPass

Victor,

 

One of the reasons I'm trying the manual Change Status to terminate the session is that I was not seeing anything happen after waiting for a minute for the OnGuard to detect a status change. 

 

If I use Change Status to manually terminate the session, shouldn't I immediately see the client disconnect and try to re-authenticate?

 

2nd point is that I temporarily placed allow-all (any,any,any permit) rules into all of my policies just to make sure the Aruba firewall, and my config was not the culprit.  I haven't done anything with the Win7 client I'm using.  However, if I have the firewall disabled, and manually terminate the session, I should not have an issue correct?

 

(This isn't  a production deployemnt.  Just a test setup) 

 

Thank you for the reply,

Colin

 

 

 

 

 

That's correct , once you initiate a CoA you should see in access tracker the device performing a reauth on the 802.1X.

 

However, if I have the firewall disabled, and manually terminate the session, I should not have an issue correct?

This shouldn't be an issue .

 

Validate the following:

- If there's a firewall in between , make sure to allow 3799

- What do you have defined as your radius nas ip address on your controller ? run the following "show ip radius nas-ip" make sure is the controller IP and that it exist in the list of network devices in ClearPass

- Make sure that RFC-3576 has been added to the AAA profile in the controller and that the shared key matches with the radius key defined in ClearPass

- In ClearPass make sure you enabled CoA for the network device

Victor,

 

All configurations were good with the items listed in your "Validate the following"

 

I think everything is working correctly. I had assumed that I would see some sort disconnection or reaction from the client when using the change status > Radius COA > terminate

I enabled logging debug dot1x and saw that the authentication was indeed happening again after manually terminating.  My only hiccup was that I was trying to enable logging to the console, but was unable to do that.  I found it through the GUI, so all is good now.

 

Thanks for the help,

Colin 

 

 

 

  

Hi ,

I have a same issue with my switch and clearpass, when I bounce the port from the clearpass only webauth request is coming but the radius request isn't coming and device stuck in  healthy vlan as per the webauth it should move in quarantine vlan.

After the collecting the logs from clearpass, clearpass able send coa request and in a response it get negative acknowledgment. But in the switch end we are not able see any logs or request for the coa. However all the coa configuration are correct also we open the all firewall port still we didn't get any hit/log in the switçh side as well as firewall. 

------------------------------
Prasad Bhosale
------------------------------

this is a very old post, I suggest starting a new post and provide other details like firmware version, etc.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Mar 11, 2025 02:57 PM
From: Prasadbhosale
Subject: Radius_COA with ClearPass and Aruba Controller

Hi ,

I have a same issue with my switch and clearpass, when I bounce the port from the clearpass only webauth request is coming but the radius request isn't coming and device stuck in  healthy vlan as per the webauth it should move in quarantine vlan.

After the collecting the logs from clearpass, clearpass able send coa request and in a response it get negative acknowledgment. But in the switch end we are not able see any logs or request for the coa. However all the coa configuration are correct also we open the all firewall port still we didn't get any hit/log in the switçh side as well as firewall. 

------------------------------
Prasad Bhosale
------------------------------