Wireless Access

 View Only
Back to discussions
Expand all | Collapse all

Using mac authentication on wireless but re-auth not happening after device register.

This thread has been viewed 44 times

  • 1.  Using mac authentication on wireless but re-auth not happening after device register.

    Posted Feb 26, 2025 06:30 AM

    We run clustered 7220 controllers on 8.10.0.8 in conjunction with Clearpass. We configured a WLAN to enforce mac-authentication for clients that connect to the wifi. When the user connects, the controller should put the wireless client in an invalid-device role if they arent registered and in a valid-device role if they are registered. The issue im seeing is after the client registers their device they dont change roles. Even if they disco/recon their device to wireless they come back on the controller with that invalid-device role. Upon further investigation, I noticed that Clearpass is not getting the re-auth attempt. Ive tried tinkering with the re-auth settings (making them 60 secs for example) on the role settings and the ssid profile. That changed nothing. The only solution has been to manually delete the device off the controller to force auth. I did a call with TAC and  they ask my to send my controller support logs for them to evaluate. Still waiting to hear back.  Im just curious if you all have any suggestions on what to look for. Thanks



  • 2.  RE: Using mac authentication on wireless but re-auth not happening after device register.

    Posted Feb 26, 2025 07:25 AM

    If I understand correctly the device gots registered in ClearPass? Where is it registered in ClearPass, in the Guest Device DB?

    CoA should be used for this. Normally ClearPass sends a CoA after device registration. Does ClearPass send a successful CoA to the controller after registration? 



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------



  • 3.  RE: Using mac authentication on wireless but re-auth not happening after device register.

    Posted Feb 26, 2025 09:28 AM
    So we do have a CoA service to tell the controller to disconnect the device but It doesnt seem to be working. I just noticed this last night, I'll start trying to debug now.

    Screen Shot 2025-02-25 at 7.27.55 PM.png
    Screen Shot 2025-02-26 at 9.25.55 AM.png
    --

    Julian Hicks

    Network Engineer

    Instructional and Information Technology Services

    Infrastructure Services


    Haverford College

    370 Lancaster Avenue • Haverford, PA 19041





    Original Message


  • 4.  RE: Using mac authentication on wireless but re-auth not happening after device register.

    Posted Feb 26, 2025 09:38 AM

    After registering a device in ClearPass Guest you should see a CoA for the client MAC address. To make this working make sure Dynamic Authorization is enabled in ClearPass and also enabled in the controllers. You need to define a RFC-3576 at the controllers. 

    https://arubanetworking.hpe.com/techdocs/ArubaOS_8.12.0_Web_Help/Content/arubaos-solutions/auth-servers/conf-rfc-radi-serv.htm



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 5.  RE: Using mac authentication on wireless but re-auth not happening after device register.

    Posted Feb 26, 2025 10:53 AM
    Thanks. So far I do see Dynamic Authorization is enabled in ClearPass and also enabled in the controllers. So ill have to review the config and debug where the fail is occurring.

    --

    Julian Hicks

    Network Engineer

    Instructional and Information Technology Services

    Infrastructure Services


    Haverford College

    370 Lancaster Avenue • Haverford, PA 19041





    Original Message


  • 6.  RE: Using mac authentication on wireless but re-auth not happening after device register.

    Posted Feb 26, 2025 10:57 AM

    Make sure that the NAS IP that is used in the RADIUS request is added to the network devices in ClearPass. The CoA will be send to the NAS IP and not to the source IP of the request.



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 7.  RE: Using mac authentication on wireless but re-auth not happening after device register.

    Posted Feb 26, 2025 11:04 AM

    Meaning, if you've configured the cluster VRRP IP and VLAN for each cluster member, that is the IP address that should be getting used during normal operation.  Otherwise the default is to use the IP address of the MCR, which requires setting the RADIUS NAS-IP on each controller so that the local controller address gets used instead.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 8.  RE: Using mac authentication on wireless but re-auth not happening after device register.

    Posted Feb 27, 2025 11:40 AM

    I would strongly recommend to first make sure that a manual CoA works. For that, go to your authentication session in Access Tracker, then click the 'Change Status' button. From there, select a CoA action:

    If that doesn't work, an automatic CoA won't work either. And with manual CoA you can better control, monitor, debug. Once manual work, I'd expect policy triggered will work as well.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 9.  RE: Using mac authentication on wireless but re-auth not happening after device register.

    Posted Feb 27, 2025 11:49 AM

    I tried the manually and got "No response from network device". I wasnt aware of this feature. Ill use this to help test.  Thanks for the tip.


    Original Message


  • 10.  RE: Using mac authentication on wireless but re-auth not happening after device register.

    Posted Feb 27, 2025 02:25 PM

    From this point, what may help as well is the 'Collect Logs' feature in the Server Manager. With that you can capture network traffic and verify that the CoA request leaves the ClearPass and what is the source IP (VIP if that's configured and active on that node) and destination IP (should be the switch). If it's sent to the correct switch/ap/gateway/controller, check that the ClearPass source IP is enabled for dynamic authorization/rfc3576 and/or check the logs on the switch/ap/... if there is something. It could also be that you need to use a different type, but for 72xx controllers the 'Aruba Wireless Disconnect' should be fine.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 11.  RE: Using mac authentication on wireless but re-auth not happening after device register.

    Posted Feb 26, 2025 09:27 AM

    If I'm remembering correctly, a re-auth period that short isn't workable.  I think I ended up at either 5 or 10 minutes as the minimum value that would be applied and be functional.

    But registering a device (device registration workflow in ClearPass Guest) should result in ClearPass sending a dynamic authorization disconnect message that would result in the device immediately needing to go through policy again upon reconnect.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 12.  RE: Using mac authentication on wireless but re-auth not happening after device register.

    Posted Sep 18, 2025 09:32 AM

    I'm experiencing a similar problem (ClearPass is generating, but not sending, the CoA Disconnect-Request (Code 40) message).  Were you able to find a solution to the problem?

    -------------------------------------------



  • 13.  RE: Using mac authentication on wireless but re-auth not happening after device register.

    Posted Sep 18, 2025 01:32 PM

    If ClearPass isn't sending the RADIUS packet, that's a bug and would require opening a case with TAC.  If ClearPass is sending the packet but the operation is failing, that's probably a misconfiguration of the network device.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


Related Content