Controllerless Networks

Hello,

I'm decently familiar with the Aruba Instant APs and their deployment from selecting them in a previous role.  I'm now considering selecting them as our solution for our remote office locations, however we're running into a holdup.  We have a NAC vendor that we're not willing to change (Forescout) and while they state they support IAPs, they can't really do much with them, not even a simple block at the moment.

 

They are pushing us away from CoA as a solution, but I spun up a freeradius box to experiment with what I can do through the Instants using CoA.

 

I seem to get a success message when I issue a disconnect, but I don't appear to drop offline.  Maybe I"m just immediately reauthenticationg.  I've tried to use a CoA to switch to a different VLAN, I receive a CoA Ack but the VLAN doesn't change.

 

I was wondering if anyone knows what you can and cannot do through CoA, and if there are any guides to supported and unsupported commands to be sent to the Virtual Controller.

 

Thanks so much for your help!

 

-

Chris

Can you post the contents of your CoA request?

Sure, here's from the example of trying to locate the session and update the VLAN:

 

(7) Sending CoA-Request packet to host 172.20.96.247 port 3799, id=88, length=0
(7) NAS-IP-Address = 172.20.96.247
(7) Framed-IP-Address = 172.20.255.53
(7) Aruba-User-Vlan = 132
(7) Proxy-State = 0x3431
Sending CoA-Request Id 88 from 0.0.0.0:37363 to 172.20.96.247:3799
NAS-IP-Address = 172.20.96.247
Framed-IP-Address = 172.20.255.53
Aruba-User-Vlan = 132
Proxy-State = 0x3431
Waking up in 0.3 seconds.
Received CoA-ACK Id 88 from 172.20.96.247:3799 to 172.20.254.83:37363 length 32
NAS-IP-Address = 172.20.96.247
NAS-Port-Type = Wireless-802.11
(7) Received CoA-ACK packet from host 172.20.96.247 port 3799, id=88, length=32
(7) NAS-IP-Address = 172.20.96.247
(7) NAS-Port-Type = Wireless-802.11
(7) # Executing section send-coa from file /etc/raddb/sites-enabled/coa
(7) send-coa {
(7) [ok] = ok
(7) } # send-coa = ok
(7) Sending CoA-ACK packet to host 127.0.0.1 port 40820, id=41, length=0
(7) NAS-IP-Address = 172.20.96.247
(7) NAS-Port-Type = Wireless-802.11
Sending CoA-ACK Id 41 from 127.0.0.1:3799 to 127.0.0.1:40820
NAS-IP-Address = 172.20.96.247
NAS-Port-Type = Wireless-802.11
(7) Finished request

 

Here's from trying just to disconnect:

 

(8) Sending Disconnect-Request packet to host 172.20.96.247 port 3799, id=201, length=0
(8) NAS-IP-Address = 172.20.96.247
(8) Framed-IP-Address = 172.20.255.53
(8) Proxy-State = 0x313537
Sending Disconnect-Request Id 201 from 0.0.0.0:37363 to 172.20.96.247:3799
NAS-IP-Address = 172.20.96.247
Framed-IP-Address = 172.20.255.53
Proxy-State = 0x313537
Waking up in 0.3 seconds.
Received Disconnect-ACK Id 201 from 172.20.96.247:3799 to 172.20.254.83:37363 length 32
NAS-IP-Address = 172.20.96.247
NAS-Port-Type = Wireless-802.11
(8) Received Disconnect-ACK packet from host 172.20.96.247 port 3799, id=201, length=32
(8) NAS-IP-Address = 172.20.96.247
(8) NAS-Port-Type = Wireless-802.11
(8) # Executing section send-coa from file /etc/raddb/sites-enabled/coa
(8) send-coa {
(8) [ok] = ok
(8) } # send-coa = ok
(8) Sending Disconnect-ACK packet to host 127.0.0.1 port 52487, id=157, length=0
(8) NAS-IP-Address = 172.20.96.247
(8) NAS-Port-Type = Wireless-802.11
Sending Disconnect-ACK Id 157 from 127.0.0.1:3799 to 127.0.0.1:52487
NAS-IP-Address = 172.20.96.247
NAS-Port-Type = Wireless-802.11
(8) Finished request

For the VLAN change, try returning: IETF: Tunnel Type 13 and IETF:
Tunnel-Private-Group-ID <VLAN-ID>.



For the disconnect requests, this simply causes clients to re-authenticate.
You'll need something your authentication policy to take different action
when the device authenticates.</VLAN-ID>

Thanks for the reply, I've tried to do that, but didn't see a VLAN change. I'm including a snip from Wireshark of my CoA packet to make sure it's formatted as you'd expect it to be.

 

Ciao,

does the CoA use the client IP address for disconnecting ? And not the client MAC address?