Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Sponsored role change during active session

This thread has been viewed 0 times

  • 1.  Sponsored role change during active session

    Posted Sep 21, 2012 11:06 AM

    I'm getting mixed responses regarding whether this should be possible, but am not in a position to lab it at the moment so am taking a stab in the dark that someone has come across this already.

     

    Essentially, I have configured sponsored guest-registration that upon verification, instigates a role change. The sponsorship element is actually used to verify the email address used by the guest.

     

    In this scenario, should the session be updated using CoA to instigate the role change whilst the guest is still online rather than having to log off and back on again? I am seeing the CoA-Request in a pcap but receiving a CoA-NAK in response from the Aruba WLAN. All RFC 3576 capability is configured (I can disconnect users for instance).



  • 2.  RE: Sponsored role change during active session

    EMPLOYEE
    Posted Sep 24, 2012 11:09 AM

    Yes, that should be how it works.  That being said, are you on the most up to date firmware on each platform?  I believe Amigopod added it around the 3.7 timeframe, and the AOS controllers fairly recently.  I do not have the exact AOS release it became supported.  I would work with Aruba support to track it down.  Can you post a screenshot of all the RADIUS attributes submitted in the CoA?



  • 3.  RE: Sponsored role change during active session

    Posted Sep 25, 2012 09:22 AM

    Attached is a PDF copy of the CoA-REQUEST. It is supplying the updated role of "Verified", which is what it should do. I've also attached the response CoA-NAK.

    Attachment(s)

    pdf
    PCAP REQ.pdf   42 KB 1 version
    pdf
    PCAP NAK.pdf   40 KB 1 version


  • 4.  RE: Sponsored role change during active session
    Best Answer

    EMPLOYEE
    Posted Sep 25, 2012 04:29 PM

    Not sure exactly what the problem is, but a couple of notes or follow up:

     

    • Double check your manual disconnects are fine. It is common to miss entering the secret properly for RFC-3576 on the controller.
    • Double check the Calling-Station-Id matches that on the controller
    • Session-Timeout was added in AOS 6.2.  Are you on a recent version?
    • You are telling the controller to put them in a role named "Verified".  Confirm that role exists (exactly) on the controller.
    • If you are in a master controller setup, the NAS-IP gets set to the master on all the nodes when it must be set to the local machine via an override.  Double check NAS-IP_Address (10.1.5.9) is expected.

    Support may know some debug options on the controller to give more detailas on the NAK.

     



  • 5.  RE: Sponsored role change during active session

    Posted Oct 07, 2012 10:43 AM
    Turns out that when using CoA to change the role, the VSA attribute Aruba-User-Role does not apply like it does in normal circumstances, e.g. Initial logon etc.

    So where my role was configured with the name Guest-Verified on the controller with a matching VSA attribute under my role on CP, it was passing the name of the role on CP rather than the attribute.


  • 6.  RE: Sponsored role change during active session

    Posted Oct 07, 2012 02:10 PM

    Yes, a received VSA of Aruba-User-Role will trump any other derivation rules.     Leave it unset in the verified mode and that should work....

     

    If using CPPM, just set another set of conditions in the Enforcement profile for which omits the VSA.



  • 7.  RE: Sponsored role change during active session

    Posted Oct 07, 2012 06:49 PM
    The VSA is not sent in the CoA packet in this scenario, so your role name has to match that on your Aruba controller. Otherwise, the VSA seems to work?!?