09-21-2012 08:05 AM
I'm getting mixed responses regarding whether this should be possible, but am not in a position to lab it at the moment so am taking a stab in the dark that someone has come across this already.
Essentially, I have configured sponsored guest-registration that upon verification, instigates a role change. The sponsorship element is actually used to verify the email address used by the guest.
In this scenario, should the session be updated using CoA to instigate the role change whilst the guest is still online rather than having to log off and back on again? I am seeing the CoA-Request in a pcap but receiving a CoA-NAK in response from the Aruba WLAN. All RFC 3576 capability is configured (I can disconnect users for instance).
Solved! Go to Solution.
09-24-2012 08:08 AM
Yes, that should be how it works. That being said, are you on the most up to date firmware on each platform? I believe Amigopod added it around the 3.7 timeframe, and the AOS controllers fairly recently. I do not have the exact AOS release it became supported. I would work with Aruba support to track it down. Can you post a screenshot of all the RADIUS attributes submitted in the CoA?
09-25-2012 06:21 AM
09-25-2012 01:29 PM
Not sure exactly what the problem is, but a couple of notes or follow up:
- Double check your manual disconnects are fine. It is common to miss entering the secret properly for RFC-3576 on the controller.
- Double check the Calling-Station-Id matches that on the controller
- Session-Timeout was added in AOS 6.2. Are you on a recent version?
- You are telling the controller to put them in a role named "Verified". Confirm that role exists (exactly) on the controller.
- If you are in a master controller setup, the NAS-IP gets set to the master on all the nodes when it must be set to the local machine via an override. Double check NAS-IP_Address (10.1.5.9) is expected.
Support may know some debug options on the controller to give more detailas on the NAK.
10-07-2012 07:42 AM
So where my role was configured with the name Guest-Verified on the controller with a matching VSA attribute under my role on CP, it was passing the name of the role on CP rather than the attribute.
10-07-2012 11:09 AM
Yes, a received VSA of Aruba-User-Role will trump any other derivation rules. Leave it unset in the verified mode and that should work....
If using CPPM, just set another set of conditions in the Enforcement profile for which omits the VSA.
10-07-2012 03:48 PM