Security

Reply
Contributor II
Posts: 58
Registered: ‎04-29-2014

Radius CoA over Internet

Hello,

 

I am trying to get CoA over Internet working between CPPM and an Instant VC.

I'll change the IP adresses for the explanations :

 

- My CPPM Server is accessible with a public IP 1.1.1.1

- My Instant VC has the private IP adress 192.168.0.254

- The Public IP Address of the site where the Instant Cluster is 2.2.2.2

 

So,

I first added the Instant VC as radius client on CPPM with the name of Instant-Demo and the IP 2.2.2.2 (the public ip). I also chose Aruba and activated CoA.

Then I added on the Instant VC my CPPM Server (1.1.1.1) with the NAS-IP of 2.2.2.2 and the NAS-ID of Instant-Demo. I made sure to select RFC 3576.

Last thing I did was to add an IP forwarding rule on my firewall where the Instant Cluster is, to redirect port 3799 to 192.168.0.254, for traffic coming from 1.1.1.1 and arriving on 2.2.2.2.

 

When I try to disconnect a visitor from CP Guest, It is loading a few seconds and an error is appearing, telling me to check Access Tracker. When I try manually to send the CoA message from the access tracker, the 'Failed to contact Access Control Service' appears.

Also, the application log in CP Guest give me this error message :

 

Client:    2.2.2.2:6742
App User:  admin
Script:    /guest/guest_sessions.php
Function:  NwaGuestManager_GuestSessions_Disconnect
Arguments: array (
  'error' => 1,
  'message' => '{"content": {"cnc_actions": [{"status_message": "Radius [Aruba Terminate Session] failed for client 18af61cefdc8", "id": 1}]}, "id": "R000000b7-01-53d0fe74", "name": "cnc_response"}',
)

 

Does anyone have an idea of what could cause the problem ? I tried to find a way to test if the CoA message was making it to the Instant VC, but without any success. (Is that even possible ?)

 

Thanks a lot for your help.

 

Regards,

 

nice2k. 

MVP
Posts: 702
Registered: ‎12-01-2010

Re: Radius CoA over Internet

Simple plumbing question:

Is there a firewall rule for both directions? - not the NAT, but the permit statements

 

You will have to allow the iAP out to make Auth calls to CP on RADIUS ports, and separately allow CP in to make CoA calls to the iAP.

 

 

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Contributor II
Posts: 58
Registered: ‎04-29-2014

Re: Radius CoA over Internet

Thank you for your reply.

 

I will verify this today with my security admin, and make sure I see matches on port forwarding rule.

 

I'll let you know.

 

Contributor II
Posts: 58
Registered: ‎04-29-2014

Re: Radius CoA over Internet

Okay we found the problem. The firewall was only accepting 3799 TCP traffic, whereas CoA is using 3799 UDP so packets were dropped.  

 

Working perfectly now.

 

Thanks!

 

nice2k

Search Airheads
Showing results for 
Search instead for 
Did you mean: