Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
4
Helpful
7
Replies

802.1x COA reauthenticate - Aruba Switch

Go to solution
vivarock12
Beginner
Beginner

‎03-10-2023 07:17 AM

Hello,

I have a problem with an Aruba Switch im using ise to do DACL on the aruba switch and its working but when a want to change the ACL i need to do a COA reauthenticate on the end user for him to change the ACL but for some reason i just wont work.

definicion_reathunticate.PNG

 this is the configuration i did for the reauthentication on a special profile for the aruba switches, the NAS-FILTER-RULE is the VSA92 the one im using to send the ACL to the user.

error_COA_manual_reauthenticate.PNG

error_COA_manual_reauthenticate2.PNG

error_COA_manual_reauthenticate3_tapado.png

this is the error im getting and idea on what can i do to overcome this?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vivarock12
Beginner
Beginner

‎04-26-2023 10:46 AM

the problem was

radius-server host 192.100.1.95 clearpass

i remove the parameter and everything works

View solution in original post

7 Replies 7

Go to solution
ahollifield
VIP
VIP

‎03-10-2023 01:46 PM - edited ‎03-10-2023 01:47 PM

dACL?  I don' think Aruba Switches support dACLs.  You can call a local User Role that then maps to a local ACL or pass a local ACL name as the filter-id attribute.  Keep in mind the CoA port for Aruba devices is 3799.

Also is CoA enabled on the Aruba Switch?  Is this an AOS-CX switch? 

radius dyn-authorization client [name] secret-key plaintext aruba123
radius dyn-authorization enable

0 Helpful

Go to solution
vivarock12
Beginner
Beginner
In response to ahollifield

‎03-10-2023 08:53 PM

Hello,

yes they do support them using VSA 92 and is working but what i want to do is change the Assing DACL that the user is using but every time i get that error, heres the configuration on theARUBA switch.

radius-server host 192.100.1.95 key "Hola.123"
radius-server host 192.100.1.95 dyn-authorization
radius-server host 192.100.1.95 clearpass
radius-server access-request include framed-ip-address

!

is this the same as the config you share???

radius dyn-authorization client [name] secret-key plaintext aruba123
radius dyn-authorization enable

!
!

thanks for the help by ther way

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to vivarock12

‎03-13-2023 10:08 AM

No it looks like you have the RADIUS server defined but you do not have CoA enabled for that same RADIUS server. You need to add those two lines I copied previously and ensure ISE is configured to use port 3799 for CoA for this Aruba switch.
0 Helpful

Go to solution
vivarock12
Beginner
Beginner
In response to ahollifield

‎03-16-2023 09:03 AM

this is an AOS-S does this are the same command?

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-11-2023 10:59 PM

@vivarock12  The failure said no response from the NAD. Most likely the CoA port mismatched between ISE and the NAD.

Go to solution
vivarock12
Beginner
Beginner
In response to hslai

‎03-12-2023 08:53 PM

this commands said that the COA request is geeting to the Switch but the switch does no response

vivarock12_0-1678679566338.png

Is there a special config to be done on the Client pc im using windows 802.1x client?

 

Go to solution
vivarock12
Beginner
Beginner

‎04-26-2023 10:46 AM

the problem was

radius-server host 192.100.1.95 clearpass

i remove the parameter and everything works

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents