AAA, NAC, Guest Access & BYOD

COA feature not working on Aruba Master - Local Aruba controllers.

Environment  :  This applies to all the versions of CPPM

 

Question in detail.

We are integrating CPPM with  Aruba customer and running one master controller and two local controllers in campus. We configured the CPPM as Radius authentication, accounting and RFC-3576 server for MAC and Captive Portal authentication. Everything works fine except a CoA issue when we tried to disconnect an authenticated user from Aruba controllers.
 
From Monitoring>Active Tracker, I found the master IP address(192.168.4.2) is recorded as Access Device IP although the actual Radius Client is Local controller(192.168.4.6) which is connection: Src-IP-Address. So when I click “Change Status” and send Aruba Termination out, and type “show aaa rfc-3576 status” on controller CLI, I was surprised to see that the Disconnect CoA was sent to master controller rather than Local controller. Then I tried to change configuration of radius server with NAS-IP of 192.168.4.6 in master controller and synchronizing it to local controllers, the CoA request can be sent to local controller correctly.
 
So it seems CPPM always send CoA to NAS-IP address rather than Connection: Src-IP-Address.


Answer:

COA  is ALWAYS sent to the NAS-IP-Address and not to the
Src-IP-Address (This is by design) as shown in the access tracker logs below.

 

 

 

To fix this we will have to add an over ride to all the local controllers in the question.

(ArubaController) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(ArubaController) (config) #ip radius nas-ip x.x.x.x

where x.x.x.x is the IP of your local controller which is shown above in the access tracer log.


The above configuration applies globally all the radius servers. To make this change on specific servers, please execute the below commands.


    (ArubaController) #configure terminal
    Enter Configuration commands, one per line. End with CNTL/Z

    (ArubaController)# aaa authentication-server radius <your_radius_server_name>
    
    (ArubaController)# nas-ip X.X.X.X

Version History
Revision #:
1 of 1
Last update:
‎07-03-2014 01:36 PM
Updated by:
 
Labels (1)
Contributors
Comments


I am new to COA and would like to clarify with regards to my POC setup


1 Master and 4 local controllers. Ap's are only on the local controllers

 

4 AP-Group each for a local controller

4 Virtual-AP 's so that 1 Virtual-AP associated with 1 AP-group of a local controller

1 WLAN SSID -profile

4 aaa profile and 4 Radius server-groups so that we can associate the NAS iP address each local controller one of the radius-server group.

 

Is my understanding correct ?

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.