Skip to main content (Press Enter).
Register | Sign in
Skip auxiliary navigation (Press Enter).
Skip main navigation (Press Enter).
Toggle navigation
Discussion
Support
Aruba Documentation Portal
Aruba Support Knowledge Base
Community Learning
News
ACEX Hall of Fame
MVP Overview
Tech Corners
Search
View Entry
Controller Based WLANs
View Only
Community Home
Library
2.7K
Members
14
last person joined: one year ago
APs, Controllers, VIA
Back to Library
What attribute do I use when configuring an RFC3576 server for change of authorization?
0
Kudos
Jul 09, 2014 04:12 PM
Arunkumar
Product and Software:
This article applies to all Aruba Mobility Controllers and ArubaOS 3.x.
From RFC3576:
“The RADIUS protocol, defined in [RFC2865], does not support
unsolicited messages sent from the RADIUS server to the Network
Access Server (NAS).
However, there are many instances in which it is desirable for
changes to be made to session characteristics, without requiring the
NAS to initiate the exchange. For example, it may be desirable for
administrators to be able to terminate a user session in progress.
Alternatively, if the user changes authorization level, this may
require that authorization attributes be added/deleted from a user
session.
To overcome these limitations, several vendors have implemented
additional RADIUS commands in order to be able to support unsolicited
messages sent from the RADIUS server to the NAS. These extended
commands provide support for Disconnect and Change-of-Authorization
(CoA) messages. Disconnect messages cause a user session to be
terminated immediately, whereas CoA messages modify session
authorization attributes such as data filters.”
To use CoA, the RFC3576 server needs to be configured to use ‘filter-id’ as one of the supplement attribute.
The ‘Aruba-User-Role’ is not supported.
Also, ESI license is required on the Aruba controller.
This example uses the FreeRADIUS client as the testing utility.
On Aruba controller:
(ke1929-w1) #show aaa profile rfc3576
AAA Profile "rfc3576"
---------------------
Parameter Value
--------- -----
Initial role logon
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile rfc3576
802.1X Authentication Default Role guest
802.1X Authentication Server Group internal
RADIUS Accounting Server Group N/A
XML API server N/A
RFC 3576 server 10.168.123.210
User derivation rules N/A
Wired to Wireless Roaming Enabled
(ke1929-w1) #show aaa rfc-3576-server 10.168.123.210 ?
| Output Modifiers
<cr>
(ke1929-w1) #show aaa rfc-3576-server 10.168.123.210
RFC 3576 Server "10.168.123.210"
--------------------------------
Parameter Value
--------- -----
Key aruba123
(ke1929-w1) #show license
License Table
-------------
Key Installed Expires Flags Service Type
--- --------- ------- ----- ------------
+QPKOMv9-QQFKySuB-4nHiPGPa-4wUy2... 2008-03-26 Never E Policy Enforcement Firewall
19:03:27
gKtQ5piW-wcfbrqVq-n/HIHk/9-6MoC9... 2008-03-26 Never E Wireless Intrusion Protection
19:03:55
j2yAbp3s-wZgADP2Z-NoSK+hVk-Sa+vz... 2009-03-09 Never E External Services Interface
18:00:50
License Entries: 3
Flags: A - auto-generated; E - enabled; R - reboot required to activate
On the RADIUS server (Linux):
echo -e "User-Name =aaa
Filter-Id = authenticated" | radclient -n 1 -x 10.168.123.214:3799 coa aruba123
This command is to change the user role of ‘aaa’ to ‘authenticated’ on the Aruba controller.
If it is successful, the Aruba controller returns a CoA-ACK.
Statistics
0 Favorited
7 Views
0 Files
0 Shares
0 Downloads
Related Entries and Links
No Related Resource entered.
Privacy policy
Terms of service
Site Map
Legal
© Copyright 2024 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Higher Logic