Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

RFC 3576 Disconnects

This thread has been viewed 7 times

  • 1.  RFC 3576 Disconnects

    Posted Nov 29, 2012 08:48 AM

    Hello,

    I am trying to troubleshoot RFC3576 disconnects.  When I delete a user account on the Amigopod, I get " Deleted guest account bmctest3. Connection is not connected to a NAS supporting disconnects."

    I am on Amigopod 3.7, with AOS 6.1.3.3 code.  I have a RFC3576 object configured and also added to the AAA profile.  Actually, I have two RFC-3576 objects defined in both places, because I wasn't sure if the 3576 request comes from the Virtual HA Cluster IP or the interface IP of the Amigopod.  I have 1812,1813 open on the firewall from Controller --> Amigopod (this has been in place and working fine for authenticating users).  For testing, I have opened 1812,1813 and 3799 in both directions with still no luck.  We need 1812, 1813 from Controller --> Amigopod for normal auth of users, but what FW rules do we need for 3799 -- from Amigopod --> Controller only?

    I started a packet capture on the Amigopod for RADIUS traffic, and I only see normal Radius auth traffic from the Controller to the amigopod -- I don't see the amigopod trying to send a deauth packet to the controller.  Also,  I don't see any activity on the FW rules I have in place for testing for port 3799.

    It seems like the amigopod isn't even trying to send disconnects to the controller  -- any ideas?  



    Thanks,
    Bryan



  • 2.  RE: RFC 3576 Disconnects

    EMPLOYEE
    Posted Nov 29, 2012 10:33 AM

    Within Amigopod check RADIUS > NAS List and confirm it is aruba_3576, not just aruba.  There was a time when Aruba did not always support 3576 so there are two NAS types for them. 

     



  • 3.  RE: RFC 3576 Disconnects

    Posted Nov 29, 2012 12:06 PM

    I checked and both of our Amigopods are setup for Aruba_3576. 



  • 4.  RE: RFC 3576 Disconnects
    Best Answer

    EMPLOYEE
    Posted Nov 29, 2012 03:48 PM

    The _only_ way to get the error you are stating is when the nastype does not contain '3576'.  The NAS address in the sessions list is the exact as you have in the NAS List?  Something must be making that lookup fail.

     



  • 5.  RE: RFC 3576 Disconnects
    Best Answer

    Posted Nov 30, 2012 01:36 PM

    That was it, we had our two Aruba controllers defined in the Amigopod NAS list, but I didn't have the HA VRRP IP defined.  I added the VRRP IP as a 3rd NAS and it is working now!  Thank you.

     

     



  • 6.  RE: RFC 3576 Disconnects

    Posted Jun 06, 2014 11:47 AM

    Just wanted to add my findings to this as it may help someone down the road. When doing a client-deub I came across the RFC messages "User entry deleted: reason=RFC 3576 disconnect". I had made 2 adjustments in the end. I dont recall which one was the one that resolved this issue. 

     

    In my case we were using the clearpass server, the CP server was hosting the Web Portal for Captive Portal. I had went into the AAA Profiles, and selected the server that was used for authentication. I had removed the RFC 3576 Server from this config. I also went into the L3 Authentication for the Captive Portal Auth, I had added the option "Add switch IP address in the redirection URL". 

     

    After both of these were complete, I no longer received the RFC 3576 disconnects. 

     

    Hopes this helps someone down the road.