Controllerless Networks

New Contributor

Radius CoA with Instant

I want to change user role of a client with Radius CoA, however I can't get it work. How can I troubleshoot CoA on Instant? coa-request to instant VC is captured via wireshark.


First client gets a role "Role1" by Radius radreply attribute Filter-Id, this works. Using radclient to disconnect clients works too and clients reauthenticate immediately which is expect behavior.


I can verfiy this on Virtual Controller by "show derivation-rules"

show derivation-rules.pngshow derivation-rules


Now the problem,

send a coa request and receive CoA-ACK, ok

radclient coa.png


I don't know why there is a immediate Access-Challenge after sending coa request. Can I troubleshoot on VC why it doesnt update client user role to "Role2" and why client initiate a Access-Challange on Instant VC.


Role2 is created on VC and RFC3576 is enabled for auth-server



Guru Elite

Re: Radius CoA with Instant

You should not be using derivation rules. Return the first role using the Aruba-User-Role VSA.

Remove all derivation rules and try again.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
New Contributor

Re: Radius CoA with Instant

I removed the Role assignments for ssid-profile


and also i changed radreply attribute Filter-Id to Aruba-User-Role


Still the same result. I think the immediate Access-Challenge overwrites the coa-request on instant VC, is there a way to verify this on the VC log?


On VC Support Command: AP Log ALL, I can see that VC handle the stm_rfc3576_request and executes handle_disconnect_user. Does this explain the immediate Access-Challenge after the coa-request?


Jun 19 11:27:08  stm[3694]: stm: rfc3576 req 0 for a0:8d:16:9d:fb:2f: (role=) from:
Jun 19 11:27:08  stm[3694]: stm stm_rfc3576_request, 230: wired flag for client a0:8d:16:9d:fb:2f is 0
Jun 19 11:27:08  stm[3694]: handle_disconnect_user: 10659: sci->mac_authenticate=0 sci->captive_portal=0 sta->dot1xctx=0x1fe33c


see log file attached.


Please let me know if you need further log.




Guru Elite

Re: Radius CoA with Instant

What is your RADIUS server?

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
New Contributor

Re: Radius CoA with Instant

I'm using freeradius 3.0.16 on ubuntu and have the aruba VSA for freeradius placed in /usr/share/freeradius


I read the post:

What attribute do I use when configuring an RFC3576 server for change of authorization?

by aruba emplyoee aarunkumar


I assume this can work on Instant.


Guru Elite

Re: Radius CoA with Instant

Change User Role uses filter-id for the role name. But do not configure an SDR.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: