AAA, NAC, Guest Access & BYOD

Can't dynamically disconnect clients from Amigopod - RFC 3576

Aruba Employee

To dynamically disconnect clients from Amigopod, RFC 3576 support must be supported on the NAS. RFC 3576 added support for dynamic authorizations for RADIUS. There are multiple configuration options that need to be set properly in order for disconnects to work.

=== Settings to check on Amigopod ===
Ensure the NAS entry in Amigopod includes RFC 3576 support. e.g. "Aruba Networks (RFC 3576 Support)" instead of "Aruba Networks"

=== Settings to check on controller (Aruba) ===
A RFC 3576 server profile needs to be created in Configuration -> Security -> Authentication -> Servers. Enter the IP address of Amigopod and click "Add". Click on the newly created IP Address entry and give it the same shared secret as the RADIUS server. 

NOTE: It is common to miss entering a shared secret for the RADIUS 3576 profile on the controller

Edit the AAA profile for the Amigopod pre-authentication role and reference the RFC 3576 server you just created.

=== Advanced Troubleshooting ===
Dynamic disconnect messages go over UDP port 3799. Ensure that this port is not blocked on a firewall.

Amigopod often has two interfaces in use: LAN and MGT. MGT is the eth0, primary interface and Amigopod will use this interface most of the time. Static routes can be added to adjust which interface gets used. If you define the Amigopod RFC 3576 profile using the LAN interface and Amigopod is sending it over the MGT interface instead, the controller will ignore the request.

Run a packet capture on Amigopod on the MGT interface and using port 3799. It will tell you if the disconnect message is getting sent to the controller.

Run a packet capture on the controller with port 3799. It will tell you if the controller is receiving the message.

If you receive an popup message when disconnecting a client from Amigopod such as:
* Disconnect failed - Administratively Prohibited
This means that the controller has not been configured with RFC-3576. Check that the RFC-3576 server has the correct shared secret and that it has been added to the AAA profile.

If you have Amigopod in an HA, you will need to add each cluster's IP as an RFC-3576 server on the controller. In Amigopod v3.3 and earlier, Amigopod sends the disconnect request over the real interface instead of the VIP. Without adding the other IPs into the controller, you will likely see an error "No response from NAS" when attempting to disconnect a client.

Version history
Revision #:
1 of 1
Last update:
‎06-25-2014 03:50 PM
Updated by:
 
Labels (1)
Contributors