Security

Reply
Contributor II

RFC 3576 Disconnects

Hello,

I am trying to troubleshoot RFC3576 disconnects.  When I delete a user account on the Amigopod, I get " Deleted guest account bmctest3. Connection is not connected to a NAS supporting disconnects."

I am on Amigopod 3.7, with AOS 6.1.3.3 code.  I have a RFC3576 object configured and also added to the AAA profile.  Actually, I have two RFC-3576 objects defined in both places, because I wasn't sure if the 3576 request comes from the Virtual HA Cluster IP or the interface IP of the Amigopod.  I have 1812,1813 open on the firewall from Controller --> Amigopod (this has been in place and working fine for authenticating users).  For testing, I have opened 1812,1813 and 3799 in both directions with still no luck.  We need 1812, 1813 from Controller --> Amigopod for normal auth of users, but what FW rules do we need for 3799 -- from Amigopod --> Controller only?

I started a packet capture on the Amigopod for RADIUS traffic, and I only see normal Radius auth traffic from the Controller to the amigopod -- I don't see the amigopod trying to send a deauth packet to the controller.  Also,  I don't see any activity on the FW rules I have in place for testing for port 3799.

It seems like the amigopod isn't even trying to send disconnects to the controller  -- any ideas?  



Thanks,
Bryan

Aruba Employee

Re: RFC 3576 Disconnects

Within Amigopod check RADIUS > NAS List and confirm it is aruba_3576, not just aruba.  There was a time when Aruba did not always support 3576 so there are two NAS types for them. 

 

Contributor II

Re: RFC 3576 Disconnects

I checked and both of our Amigopods are setup for Aruba_3576. 

Aruba Employee

Re: RFC 3576 Disconnects

The _only_ way to get the error you are stating is when the nastype does not contain '3576'.  The NAS address in the sessions list is the exact as you have in the NAS List?  Something must be making that lookup fail.

 

Contributor II

Re: RFC 3576 Disconnects

That was it, we had our two Aruba controllers defined in the Amigopod NAS list, but I didn't have the HA VRRP IP defined.  I added the VRRP IP as a 3rd NAS and it is working now!  Thank you.

 

 

Contributor II

Re: RFC 3576 Disconnects

Just wanted to add my findings to this as it may help someone down the road. When doing a client-deub I came across the RFC messages "User entry deleted: reason=RFC 3576 disconnect". I had made 2 adjustments in the end. I dont recall which one was the one that resolved this issue. 

 

In my case we were using the clearpass server, the CP server was hosting the Web Portal for Captive Portal. I had went into the AAA Profiles, and selected the server that was used for authentication. I had removed the RFC 3576 Server from this config. I also went into the L3 Authentication for the Captive Portal Auth, I had added the option "Add switch IP address in the redirection URL". 

 

After both of these were complete, I no longer received the RFC 3576 disconnects. 

 

Hopes this helps someone down the road. 

Justin Kwasnik | ACMX# 598 | ACCX# 638
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: