cancel
Showing results for 
Search instead for 
Did you mean: 

NAC Forescout - CoA Reauth to VOSS 9.2 5320 Switch

NAC Forescout - CoA Reauth to VOSS 9.2 5320 Switch

NikAll
New Contributor

Hey team

I am running Forescout as a NAC and when a client via Dot1x gets access to the network and Forescoute sends a CoA message i se the switch accept it but its no kicking out the client until i remove the cable and put it back in. 

Sometimes mulitble times until it enters the correct Client VLAN. 

i am Useing freeradius.internal

attribute "Send-CoA-Type" 

Session-Reauthenticate
and also tested Reauthenticate.

 

Anyone manage to solve this? 

 

 

2 REPLIES 2

Brent_Addis
Contributor II

What does your configuration on the switch look like?

Looking at my own NAC config it's using the standard COA delimited radius responses so I don't see much of an issue there, it should be comparable to what you are sending.

Brent_Addis_0-1756940023754.png

 

 

-----
-Brent Addis / Extreme Black Belt #491

New to Extreme? Check out the Welcome series here - https://training.extremenetworks.com/welcome-series-1
Want to join the official Extreme learners discord? Let me know!

# EAP CONFIGURATION
#

eapol auto-isid-offset 9900000
eapol auto-isid-offset enable
eapol enable

 

interface GigabitEthernet 1/3
default-vlan-id 32
name "dot1x"
no shutdown
slpp-guard enable
spanning-tree bpduguard enable

spanning-tree mstp edge-port true
no spanning-tree mstp force-port-state enable
eapol guest-vlan 32
eapol fail-open-vlan 32
eapol guest-isid 1000032
eapol fail-open-isid 1000032
eapol radius-dynamic-server enable
eapol status auto
eapol multihost radius-non-eap-enable
eapol re-authentication-period 28800
eapol re-authentication enable
eapol traffic-control in

# RADIUS CONFIGURATION
#

radius server host 192.168.22.21 key ****** priority 1 retry 2 timeout 3
no radius server host 192.168.22.21 used-by cli acct-enable
radius server host 192.168.24.21 key ****** priority 2 retry 2 timeout 3
no radius server host 192.168.24.21 used-by cli acct-enable
radius server host 192.168.22.20 key ****** used-by eapol priority 1 retry 2 timeout 3
radius server host 192.168.24.20 key ****** used-by eapol priority 2 retry 2 timeout 3
radius server host 192.168.22.21 key ****** used-by web priority 1 retry 2 timeout 3
no radius server host 192.168.22.21 used-by web acct-enable
radius server host 192.168.24.21 key ****** used-by web priority 2 retry 2 timeout 3
no radius server host 192.168.24.21 used-by web acct-enable

radius enable
radius accounting enable
radius maxserver 6
radius reachability keep-alive-timer 30 unreachable-timer 30
radius reachability mode status-server
radius dynamic-server client 192.168.22.20 secret ****** enable
radius dynamic-server client 192.168.24.20 secret ****** enable

 

 

GTM-P2G8KFN