Controller Based WLANs

Product and Software: This article applies to all Aruba Mobility Controllers and ArubaOS 3.x. 

From RFC3576: 

   “The RADIUS protocol, defined in [RFC2865], does not support 
   unsolicited messages sent from the RADIUS server to the Network 
   Access Server (NAS). 

   However, there are many instances in which it is desirable for 
   changes to be made to session characteristics, without requiring the 
   NAS to initiate the exchange.  For example, it may be desirable for 
   administrators to be able to terminate a user session in progress. 
   Alternatively, if the user changes authorization level, this may 
   require that authorization attributes be added/deleted from a user 
   session. 

   To overcome these limitations, several vendors have implemented 
   additional RADIUS commands in order to be able to support unsolicited 
   messages sent from the RADIUS server to the NAS.  These extended 
   commands provide support for Disconnect and Change-of-Authorization 
   (CoA) messages.  Disconnect messages cause a user session to be 
   terminated immediately, whereas CoA messages modify session 
   authorization attributes such as data filters.” 


To use CoA, the RFC3576 server needs to be configured to use ‘filter-id’ as one of the supplement attribute. 

The ‘Aruba-User-Role’ is not supported. 

Also, ESI license is required on the Aruba controller. 

This example uses the FreeRADIUS client as the testing utility. 

On Aruba controller: 
(ke1929-w1) #show aaa profile rfc3576 

AAA Profile "rfc3576" 
--------------------- 
Parameter                           Value 
---------                           ----- 
Initial role                        logon 
MAC Authentication Profile          N/A 
MAC Authentication Default Role     guest 
MAC Authentication Server Group     default 
802.1X Authentication Profile       rfc3576 
802.1X Authentication Default Role  guest 
802.1X Authentication Server Group  internal 
RADIUS Accounting Server Group      N/A 
XML API server                      N/A 
RFC 3576 server                     10.168.123.210 
User derivation rules               N/A 
Wired to Wireless Roaming           Enabled 

(ke1929-w1) #show aaa rfc-3576-server 10.168.123.210 ? 
|                       Output Modifiers 
<cr> 

(ke1929-w1) #show aaa rfc-3576-server 10.168.123.210 

RFC 3576 Server "10.168.123.210" 
-------------------------------- 
Parameter  Value 
---------  ----- 
Key        aruba123 

(ke1929-w1) #show license 

License Table 
------------- 
Key                                  Installed   Expires  Flags  Service Type 
---                                  ---------   -------  -----  ------------ 
+QPKOMv9-QQFKySuB-4nHiPGPa-4wUy2...  2008-03-26  Never     E     Policy Enforcement Firewall 
                                     19:03:27                      
gKtQ5piW-wcfbrqVq-n/HIHk/9-6MoC9...  2008-03-26  Never     E     Wireless Intrusion Protection 
                                     19:03:55                      
j2yAbp3s-wZgADP2Z-NoSK+hVk-Sa+vz...  2009-03-09  Never     E     External Services Interface 
                                     18:00:50                      

License Entries: 3 

Flags: A - auto-generated; E - enabled; R - reboot required to activate 

On the RADIUS server (Linux): 
echo -e "User-Name =aaa
Filter-Id = authenticated" | radclient  -n 1 -x 10.168.123.214:3799 coa aruba123 

This command is to change the user role of ‘aaa’ to ‘authenticated’ on the Aruba controller. 

If it is successful, the Aruba controller returns a CoA-ACK.