Security

Hello,

I was having the same problem until I switched the WLC NAD port on CPPM to 1700. As soon as that was done, CoA started working. You don't need to add the audit session ID (the calling station ID is just what is needed, nor the reauthenticate last)

let me just add for reference all that I did in an attached PDF, it may help someone... If anyone has a better way of doing this I'm all hears (I'm really starting to put my hands in CPPM, so I'm probably still doing lots of mistakes...)

Enjoy and comment!

Flow is:

Endpoint associates, tries MAC Auth and generates RADIUS request to CPPM - 1st pass on mac auth service (allow all mac)

On CPPM endpoint is unknown - gets returned an access-acept plus an URL redirect

Person using endpoint goes to web browser and gets redirected to CPPM portal and authenticates

This authentication is processed in CPPM via a webauth service that will:

Map a role to the endpoint

Generate a coa for the controller to reauthenticate the user (new mac auth - 2nd pass)

This 2nd pass will then be catched by the same mac auth service, but this time (during 5 minutes after accounting start) the endpoint will have roles in its policy cache. These roles will be matched and the appropriate RADIUS attributes will be returned (specific dacl's for instance)

When user disconnects:

Controller will need to time out the endpoint, then send accounting stop to CPPM. CPPM will keep endpoint policy cache in during 5 minutes and then purge it. Next time user associates ---> start all over again.

g9ais,

Can you paste the config for your ACL here? I've found that the various guides isn't always the right way to configure the redirect ACL so it's interresting to see how you've done it.

I'm looking for real life examples, as my experience differs a bit from the guides.

I've done this on Cisco 5760 (IOS XE) and the guides said this should be the ACL:

        deny udp any eqbootpsany

        deny udp any anyeqbootpc  

        deny udp any eqbootpcany

   # above 3 rules block DHCP

        deny udp any anyeq domain

        deny tcp any anyeq domain

  # block DNS

        deny ip any host 192.168.154.119     # block access to ISE server

        deny ip any host 192.168.150.25       # block access to DHCP/DNS servers

        permit tcp any anyeq www   # permit www and/or 443

Atleast - it didn't work with IOS XE 3.3.1, but now it's upgraded to 3.3.3 and then the ACL had to be changed to reflect the same as mentioned above. So - thats why I'm looking at how people are implementing the ACL.