Security

Reply

CPPM guest CoA w/ Cisco WLC and server-initiated auth causes disconnects

Here is the rundown

 

MAC AUTH service is hit

User loads a portal
Accepts terms and conditions

Countdown happens...

CoA is sent

MAC AUTH service is hit again and ACL is pushed to WLC to allow them onto the internet.

 

WHat is happening is that certain devices (especially Apple) devices don't seem to like the CoA and bounce off the SSID and connect back to another SSID (basically last known connected SSID) which I believe is how IOS handles this stuff...

 

Is there anything I can do to prevent this or ease the customer?

 

CoA delay is 5

Reject packet delay is 0

Portal delay is 15 sec...

 

 

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACCA
[If you found my post helpful, please give kudos!]
Contributor I

Re: CPPM guest CoA w/ Cisco WLC and server-initiated auth causes disconnects

What CoA are you using?

Re: CPPM guest CoA w/ Cisco WLC and server-initiated auth causes disconnects

We are using session reauthenticate
https://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/xe-3se/3850/san-coa-supp.pdf

We are opening a ticket with Cisco.

The NADs (especially Apple ones) don't like the CoA reauthenticate especially on WPA2-PSK enabled SSIDs. Theoretically, on an Open SSID, a disconnection is not supposed to occur with session-reauthenticate but it does or its not always consistent and get the famous "Error hotspot login error"

If you look at
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Snippet from the bottom of the article:

Note that the type of CoA returned by ISE evolved across versions. ISE 2.0 will request the WLC to re-run the authentication rather than plainly disconnect the client.

The WLC will then not send a disassociation frame to the client and will run a radius authentication again and apply the new result transparently to the client.

However, things are still different if a PSK is in use. Since 8.3, the WLC supports setting a WPA pre-shared key on a CWA SSID. In that kind of situation, upon reception of the same CoA from ISE as above, the WLC will have to trigger a new WPA key exchange again. Therefore in case of PSK, the WLC will have to send a disassociate frame to the client which will have to reconnect. In classical non-PSK scenarios, the WLC will not send a disassociate frame to the client and will simply apply the new authorization result. However an "association response" will be still sent ot the client although no "association request" was ever received from the client, which might seem curious when analyzing sniffer traces.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACCA
[If you found my post helpful, please give kudos!]
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: