Controllerless Networks

hy all,

i was wondering how the ipa-93 compliance of rfc-3576 works ?

i'm currently using packetfence and it tries to access my iap-93 on port UDP/3799.

any clues ?

Regards,

Xinity

Xinity,

Do you have your packetfence setup as a radius server with RFC3576 enabled on your IAP virtual controller?

hy,

packetfence has a configuration template for all Aruba devices, which is what i have used.

i don't remember setting anything about NAS-Identifier in packetfence (which uses freeradius) .

i my case:

- NAS IP address -->  IP of my VC (@range.7) my access point is using @range.8

- NAS Identifier --> [blank]

 i forgot to mention that i my Access point, i've enabled RFC-3576

Thanks for your help,

Regards,

Xinity

Xinity,

Theoretically that should work, but I do not know if Packetfence specifically was tested...

thanks anyway,

i'll dig in to see how to make this work :)

Regards,

Xinity

Can you explain how the iap-93 should handle CoA request ?

it is using a specific network port (tcp/udp ?)

i've read about the RFC3576.

the RFC is related to

I°) Dynamic Authorization Extensions to Radius:

"The NAS responds to a Disconnect-Request packet sent by a RADIUS server with a Disconnect-ACK if all associated session context is discarded and the user session is no longer connected, or a Disconnect-NAK, if the NAS was unable to disconnect the session and discard all associated session context"

II°) Change-of-Authorization-Messages (CoA):

"The NAS responds to a CoA-Request sent by a RADIUS server with a CoA-ACK if the NAS is able to successfully change the authorizations for the user session, or a CoA-NAK if the Request is unsuccessful."

which is available on an IAP-93 arubaOS 6.1.3.1-3.0.0.2_34479 ?

how to use this/these feature(s) ?

Thanks for your precious help,

Regards,

Xinity

Hello,

did you get Packetfence work with your IAP?

I tried it to with an Aruba IAP 135 but I didn´t get it work, yet.

Hy,

I did make my IAP-93 work with packetfence, except for the CoA, i'm still fighting :(

do you need any help ?

yes I need help.

What have you configure on the IAP and what did you configure at the packetfence site?

I tried it but it won´t work.

Ok I tried it so mutch but it didn´t work.

I configure it like in this link:
http://www.packetfence.org/bugs//bug_view_advanced_page.php?bug_id=1618

but it won´t work.

The Packetfence Server didn´t answer:

I don´t unsterstand the port is rigt the shared secret is right (I use the default testing123):smileysad:

I hope you can help me to get this work.

---

@Leon123 wrote:

Ok I tried it so mutch but it didn´t work.

 

I configure it like in this link:
http://www.packetfence.org/bugs//bug_view_advanced_page.php?bug_id=1618

 

but it won´t work.

 

The Packetfence Server didn´t answer:

 

I don´t unsterstand the port is rigt the shared secret is right (I use the default testing123):smileysad:

 

I hope you can help me to get this work.

Seems you find my Pull Request in the packetfence Project :smileyvery-happy:

can you check that your packetfence is listening on 1812 and 1813.

Besides how is your packetfence instance configuration ? 

Inline ? outband ?

Regards,

Xinity

Packetfence Side:

- add an Aruba swtich Configuration

==> don't forget the Radius Secret

If you are using the Virtual Controller as a Radius Proxy, use it's IP instead of the IAP Address in the packetfence configuration

Aruba Side:

in the PEF configuration:

- add an authentification server:

 - type: Radius

==> it seems CoA has been implemented in the latest firmware (juste discovered :)) but i haven't tested it, so i would not tick the CoA Only box.

- name: [add a fency name]

- ip: [your packetfence IP]

- Shared key: [add your Radius Secret Key]

- RFC3576: Enabled

- NAS IP: (optional) [your VC IP]

- NAS identifier: (optional) [a fency name]

This is just the configuration, it really depend on how you use packetfence (inline ou outband) your Vlan Configuration and many more configuration tips.

If you are using Packetfence ZEN, then you should configuration your Wireless network like this:

Aruba Network configuration:

Vlan:

- Client Ip Assignement: Network Assigned

- Client vlan Assignment: Dynamic

VLAN Assignment Rules: 

- Attribute: Tunnel-Private-Group-Id contains 1 VLAN: 1

- Attribute: Tunnel-Private-Group-Id contains 1 VLAN: 4

Security:

MAC Authentification : enabled

Authentification server: [your authentification server name]

hoping this helps,

Regards,

Xinity