Controllerless Networks

Reply
New Contributor

Radius CoA with Instant

I want to change user role of a client with Radius CoA, however I can't get it work. How can I troubleshoot CoA on Instant? coa-request to instant VC is captured via wireshark.

 

First client gets a role "Role1" by Radius radreply attribute Filter-Id, this works. Using radclient to disconnect clients works too and clients reauthenticate immediately which is expect behavior.

 

I can verfiy this on Virtual Controller by "show derivation-rules"

show derivation-rules.pngshow derivation-rules

 

Now the problem,

send a coa request and receive CoA-ACK, ok

radclient coa.png

wireshark.png

I don't know why there is a immediate Access-Challenge after sending coa request. Can I troubleshoot on VC why it doesnt update client user role to "Role2" and why client initiate a Access-Challange on Instant VC.

 

Role2 is created on VC and RFC3576 is enabled for auth-server

 

 

Guru Elite

Re: Radius CoA with Instant

You should not be using derivation rules. Return the first role using the Aruba-User-Role VSA.

Remove all derivation rules and try again.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Radius CoA with Instant

I removed the Role assignments for ssid-profile

roles.png

and also i changed radreply attribute Filter-Id to Aruba-User-Role

radreply_2.png

Still the same result. I think the immediate Access-Challenge overwrites the coa-request on instant VC, is there a way to verify this on the VC log?

 

On VC Support Command: AP Log ALL, I can see that VC handle the stm_rfc3576_request and executes handle_disconnect_user. Does this explain the immediate Access-Challenge after the coa-request?

 

Jun 19 11:27:08  stm[3694]: stm: rfc3576 req 0 for a0:8d:16:9d:fb:2f:172.31.98.122 (role=) from:10.0.99.24
Jun 19 11:27:08  stm[3694]: stm stm_rfc3576_request, 230: wired flag for client a0:8d:16:9d:fb:2f is 0
Jun 19 11:27:08  stm[3694]: handle_disconnect_user: 10659: sci->mac_authenticate=0 sci->captive_portal=0 sta->dot1xctx=0x1fe33c

 

see log file attached.

 

Please let me know if you need further log.

 

regards,

Peter

Guru Elite

Re: Radius CoA with Instant

What is your RADIUS server?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Radius CoA with Instant

I'm using freeradius 3.0.16 on ubuntu and have the aruba VSA for freeradius placed in /usr/share/freeradius

 

I read the post:

What attribute do I use when configuring an RFC3576 server for change of authorization?

by aruba emplyoee aarunkumar

 

https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-attribute-do-I-use-when-configuring-an-RFC3576-server-for/ta-p/183484

 

I assume this can work on Instant.

 

Guru Elite

Re: Radius CoA with Instant

Change User Role uses filter-id for the role name. But do not configure an SDR.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: