Dear Spacewalkers,
We are using Stellar with OV Cirrus and a local Clearpass as Radius-Server to authenticate clients via 802.1x (EAP-TLS).
Authentication works fine and dynamic role-assignment via Filter-ID attribute in the Radius-Response is functioning.
Unfortunately, we need to use CoA to change role-assignment past initial authentication. This is not working. Clearpass is sending the CoA packet to the Stellar AP with the new role inside the Filter-ID attribute as well as the client MAC address in the Calling-Station-ID attribute.
The Stellar AP is always blocking the CoA-Request with a CoA-NAK. We captured that with Wireshark. The reason is "Session-Context-Not-Found".
We also tried to add more attributes to help with session-context like Account-Session-ID or username. But nothing worked yet.
Has anyone experienced similiar behaviour and may have a solution to this?
Thanks!
PS: I've attached screenshots of the CoA-NAK packet.
Attachments:
