Security

Reply
Frequent Contributor I

COA - works from CPG, won't work from [Aruba Terminate Session]

I'm trying to setup a Service in CPPM to disconnect a device (macauth) after WebAuth via the [Aruba Terminate Session].  The service is accepted once the device is registered, but the system stays in the preauth role on the controller.  I can successfully Disconnect devices on the controller via CPG, which I presume means the rfc-3576-server CoA is working correctly, and the device is successfully booted from the role.

 

Am I missing something simple, or am I mistaken that CPG Disconnect is not using the same mechanism as the [Aruba Terminate Session] profile?

 

thanks

mike

Mike Davis
Network Engineer
University of Delaware
Guru Elite

Re: COA - works from CPG, won't work from [Aruba Terminate Session]

Does it work manually from access tracker for the same client?

 

Are you returning a REJECT or ACCEPT on the initial MAC auth?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: COA - works from CPG, won't work from [Aruba Terminate Session]

(Thanks for responding Tim, I'm trying to get your DEVICE-REG_DM-COA working from the educause Wireless-LAN group email)

 

It does work manually from Access Tracker

 

The default profile on the macauth service is [Drop Access Profile] which

has the Drop action.  The Access Tracker details has:

 

Post-Auth-Check:Action   Disconnect

and

MAC-AUTH: MAC Authentication attempted by unknown client, rejected.

 

thanks

mike

Mike Davis
Network Engineer
University of Delaware
Guru Elite

Re: COA - works from CPG, won't work from [Aruba Terminate Session]

Your MAC auth service should be using Allow All MAC Auth and returning a captive portal role for unknown devices.

 

Can you post screenshots of the request hitting the DM-COA WebAuth service?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: COA - works from CPG, won't work from [Aruba Terminate Session]

OK, that makes this more than a minor change..    Here's the screenshot..

 

thanks

mike

 

 

Mike Davis
Network Engineer
University of Delaware
Guru Elite

Re: COA - works from CPG, won't work from [Aruba Terminate Session]

Why do you have 2 terminate sessions there? What is "UD [Terminate Session]? 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: COA - works from CPG, won't work from [Aruba Terminate Session]

After the default terminate didn't work, I copied it and only included the local controllers in the list and added that also... 

Mike Davis
Network Engineer
University of Delaware
Guru Elite

Re: COA - works from CPG, won't work from [Aruba Terminate Session]

I'm not following that. Can you post a screenshot? You should only be using the default [Aruba Terminate Session].


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: COA - works from CPG, won't work from [Aruba Terminate Session]

It was just an initial troubleshooting test, since we have both local and eduroam federation controllers listed, I wanted to make sure the eduroam list wasn't causing the terminate to end abnormally so I copied the profile and listed only the local controllers.  I've removed it now..

 

Screen Shot 2017-08-28 at 10.40.22 AM.png

Mike Davis
Network Engineer
University of Delaware
Frequent Contributor I

Re: COA - works from CPG, won't work from [Aruba Terminate Session]

"Your MAC auth service should be using Allow All MAC Auth and returning a captive portal role for unknown devices."

 

Are there examples of this anywhere?  I've gone through the wizard and made several attempts modifying that service for mine but not having any luck.

 

thanks

mike

Mike Davis
Network Engineer
University of Delaware
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: