4 weeks ago
Hey team
I am running Forescout as a NAC and when a client via Dot1x gets access to the network and Forescoute sends a CoA message i se the switch accept it but its no kicking out the client until i remove the cable and put it back in.
Sometimes mulitble times until it enters the correct Client VLAN.
i am Useing freeradius.internal
attribute "Send-CoA-Type"
Session-Reauthenticate
and also tested Reauthenticate.
Anyone manage to solve this?
4 weeks ago
What does your configuration on the switch look like?
Looking at my own NAC config it's using the standard COA delimited radius responses so I don't see much of an issue there, it should be comparable to what you are sending.
3 weeks ago
# EAP CONFIGURATION
#
eapol auto-isid-offset 9900000
eapol auto-isid-offset enable
eapol enable
interface GigabitEthernet 1/3
default-vlan-id 32
name "dot1x"
no shutdown
slpp-guard enable
spanning-tree bpduguard enable
spanning-tree mstp edge-port true
no spanning-tree mstp force-port-state enable
eapol guest-vlan 32
eapol fail-open-vlan 32
eapol guest-isid 1000032
eapol fail-open-isid 1000032
eapol radius-dynamic-server enable
eapol status auto
eapol multihost radius-non-eap-enable
eapol re-authentication-period 28800
eapol re-authentication enable
eapol traffic-control in
# RADIUS CONFIGURATION
#
radius server host 192.168.22.21 key ****** priority 1 retry 2 timeout 3
no radius server host 192.168.22.21 used-by cli acct-enable
radius server host 192.168.24.21 key ****** priority 2 retry 2 timeout 3
no radius server host 192.168.24.21 used-by cli acct-enable
radius server host 192.168.22.20 key ****** used-by eapol priority 1 retry 2 timeout 3
radius server host 192.168.24.20 key ****** used-by eapol priority 2 retry 2 timeout 3
radius server host 192.168.22.21 key ****** used-by web priority 1 retry 2 timeout 3
no radius server host 192.168.22.21 used-by web acct-enable
radius server host 192.168.24.21 key ****** used-by web priority 2 retry 2 timeout 3
no radius server host 192.168.24.21 used-by web acct-enable
radius enable
radius accounting enable
radius maxserver 6
radius reachability keep-alive-timer 30 unreachable-timer 30
radius reachability mode status-server
radius dynamic-server client 192.168.22.20 secret ****** enable
radius dynamic-server client 192.168.24.20 secret ****** enable