Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1851
Views
4
Helpful
7
Replies

802.1x COA reauthenticate - Aruba Switch

Go to solution
vivarock12
Level 1
Level 1

‎03-10-2023 07:17 AM

Hello,

I have a problem with an Aruba Switch im using ise to do DACL on the aruba switch and its working but when a want to change the ACL i need to do a COA reauthenticate on the end user for him to change the ACL but for some reason i just wont work.

definicion_reathunticate.PNG

 this is the configuration i did for the reauthentication on a special profile for the aruba switches, the NAS-FILTER-RULE is the VSA92 the one im using to send the ACL to the user.

error_COA_manual_reauthenticate.PNG

error_COA_manual_reauthenticate2.PNG

error_COA_manual_reauthenticate3_tapado.png

this is the error im getting and idea on what can i do to overcome this?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vivarock12
Level 1
Level 1

‎04-26-2023 10:46 AM

the problem was

radius-server host 192.100.1.95 clearpass

i remove the parameter and everything works

View solution in original post

7 Replies 7

Go to solution
ahollifield
VIP
VIP

‎03-10-2023 01:46 PM - edited ‎03-10-2023 01:47 PM

dACL?  I don' think Aruba Switches support dACLs.  You can call a local User Role that then maps to a local ACL or pass a local ACL name as the filter-id attribute.  Keep in mind the CoA port for Aruba devices is 3799.

Also is CoA enabled on the Aruba Switch?  Is this an AOS-CX switch? 

radius dyn-authorization client [name] secret-key plaintext aruba123
radius dyn-authorization enable

0 Helpful

Go to solution
vivarock12
Level 1
Level 1
In response to ahollifield

‎03-10-2023 08:53 PM

Hello,

yes they do support them using VSA 92 and is working but what i want to do is change the Assing DACL that the user is using but every time i get that error, heres the configuration on theARUBA switch.

radius-server host 192.100.1.95 key "Hola.123"
radius-server host 192.100.1.95 dyn-authorization
radius-server host 192.100.1.95 clearpass
radius-server access-request include framed-ip-address

!

is this the same as the config you share???

radius dyn-authorization client [name] secret-key plaintext aruba123
radius dyn-authorization enable

!
!

thanks for the help by ther way

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to vivarock12

‎03-13-2023 10:08 AM

No it looks like you have the RADIUS server defined but you do not have CoA enabled for that same RADIUS server. You need to add those two lines I copied previously and ensure ISE is configured to use port 3799 for CoA for this Aruba switch.
0 Helpful

Go to solution
vivarock12
Level 1
Level 1
In response to ahollifield

‎03-16-2023 09:03 AM

this is an AOS-S does this are the same command?

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-11-2023 10:59 PM

@vivarock12  The failure said no response from the NAD. Most likely the CoA port mismatched between ISE and the NAD.

Go to solution
vivarock12
Level 1
Level 1
In response to hslai

‎03-12-2023 08:53 PM

this commands said that the COA request is geeting to the Switch but the switch does no response

vivarock12_0-1678679566338.png

Is there a special config to be done on the Client pc im using windows 802.1x client?

 

Go to solution
vivarock12
Level 1
Level 1

‎04-26-2023 10:46 AM

the problem was

radius-server host 192.100.1.95 clearpass

i remove the parameter and everything works

Customers Also Viewed These Support Documents