Security

Reply
Frequent Contributor I
Posts: 67
Registered: ‎02-24-2010

Sponsored role change during active session

I'm getting mixed responses regarding whether this should be possible, but am not in a position to lab it at the moment so am taking a stab in the dark that someone has come across this already.

 

Essentially, I have configured sponsored guest-registration that upon verification, instigates a role change. The sponsorship element is actually used to verify the email address used by the guest.

 

In this scenario, should the session be updated using CoA to instigate the role change whilst the guest is still online rather than having to log off and back on again? I am seeing the CoA-Request in a pcap but receiving a CoA-NAK in response from the Aruba WLAN. All RFC 3576 capability is configured (I can disconnect users for instance).

Any amount of Kudos will be greatly appreciated!!!
Aruba Employee
Posts: 100
Registered: ‎03-15-2011

Re: Sponsored role change during active session

Yes, that should be how it works.  That being said, are you on the most up to date firmware on each platform?  I believe Amigopod added it around the 3.7 timeframe, and the AOS controllers fairly recently.  I do not have the exact AOS release it became supported.  I would work with Aruba support to track it down.  Can you post a screenshot of all the RADIUS attributes submitted in the CoA?

Frequent Contributor I
Posts: 67
Registered: ‎02-24-2010

Re: Sponsored role change during active session

Attached is a PDF copy of the CoA-REQUEST. It is supplying the updated role of "Verified", which is what it should do. I've also attached the response CoA-NAK.

Any amount of Kudos will be greatly appreciated!!!
Aruba Employee
Posts: 100
Registered: ‎03-15-2011

Re: Sponsored role change during active session

Not sure exactly what the problem is, but a couple of notes or follow up:

 

  • Double check your manual disconnects are fine. It is common to miss entering the secret properly for RFC-3576 on the controller.
  • Double check the Calling-Station-Id matches that on the controller
  • Session-Timeout was added in AOS 6.2.  Are you on a recent version?
  • You are telling the controller to put them in a role named "Verified".  Confirm that role exists (exactly) on the controller.
  • If you are in a master controller setup, the NAS-IP gets set to the master on all the nodes when it must be set to the local machine via an override.  Double check NAS-IP_Address (10.1.5.9) is expected.

Support may know some debug options on the controller to give more detailas on the NAK.

 

Frequent Contributor I
Posts: 67
Registered: ‎02-24-2010

Re: Sponsored role change during active session

Turns out that when using CoA to change the role, the VSA attribute Aruba-User-Role does not apply like it does in normal circumstances, e.g. Initial logon etc.

So where my role was configured with the name Guest-Verified on the controller with a matching VSA attribute under my role on CP, it was passing the name of the role on CP rather than the attribute.
Any amount of Kudos will be greatly appreciated!!!
Contributor II
Posts: 56
Registered: ‎04-22-2009

Re: Sponsored role change during active session

Yes, a received VSA of Aruba-User-Role will trump any other derivation rules.     Leave it unset in the verified mode and that should work....

 

If using CPPM, just set another set of conditions in the Enforcement profile for which omits the VSA.

Frequent Contributor I
Posts: 67
Registered: ‎02-24-2010

Re: Sponsored role change during active session

The VSA is not sent in the CoA packet in this scenario, so your role name has to match that on your Aruba controller. Otherwise, the VSA seems to work?!?
Any amount of Kudos will be greatly appreciated!!!
Search Airheads
Showing results for 
Search instead for 
Did you mean: