What attribute do I use when configuring an RFC3576 server for change of authorization?
Product and Software: This article applies to all Aruba Mobility Controllers and ArubaOS 3.x.
“The RADIUS protocol, defined in [RFC2865], does not support
unsolicited messages sent from the RADIUS server to the Network
Access Server (NAS).
However, there are many instances in which it is desirable for
changes to be made to session characteristics, without requiring the
NAS to initiate the exchange. For example, it may be desirable for
administrators to be able to terminate a user session in progress.
Alternatively, if the user changes authorization level, this may
require that authorization attributes be added/deleted from a user
To overcome these limitations, several vendors have implemented
additional RADIUS commands in order to be able to support unsolicited
messages sent from the RADIUS server to the NAS. These extended
commands provide support for Disconnect and Change-of-Authorization
(CoA) messages. Disconnect messages cause a user session to be
terminated immediately, whereas CoA messages modify session
authorization attributes such as data filters.”
To use CoA, the RFC3576 server needs to be configured to use ‘filter-id’ as one of the supplement attribute.
The ‘Aruba-User-Role’ is not supported.
Also, ESI license is required on the Aruba controller.
This example uses the FreeRADIUS client as the testing utility.
On Aruba controller:
(ke1929-w1) #show aaa profile rfc3576
AAA Profile "rfc3576"
Initial role logon
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile rfc3576
802.1X Authentication Default Role guest
802.1X Authentication Server Group internal
RADIUS Accounting Server Group N/A
XML API server N/A
RFC 3576 server 10.168.123.210
User derivation rules N/A
Wired to Wireless Roaming Enabled
(ke1929-w1) #show aaa rfc-3576-server 10.168.123.210 ?
| Output Modifiers
(ke1929-w1) #show aaa rfc-3576-server 10.168.123.210
RFC 3576 Server "10.168.123.210"
(ke1929-w1) #show license
Key Installed Expires Flags Service Type
--- --------- ------- ----- ------------
+QPKOMv9-QQFKySuB-4nHiPGPa-4wUy2... 2008-03-26 Never E Policy Enforcement Firewall
gKtQ5piW-wcfbrqVq-n/HIHk/9-6MoC9... 2008-03-26 Never E Wireless Intrusion Protection
j2yAbp3s-wZgADP2Z-NoSK+hVk-Sa+vz... 2009-03-09 Never E External Services Interface
License Entries: 3
Flags: A - auto-generated; E - enabled; R - reboot required to activate
On the RADIUS server (Linux):
echo -e "User-Name =aaa\nFilter-Id = authenticated" | radclient -n 1 -x 10.168.123.214:3799 coa aruba123
This command is to change the user role of ‘aaa’ to ‘authenticated’ on the Aruba controller.
If it is successful, the Aruba controller returns a CoA-ACK.