I want to change user role of a client with Radius CoA, however I can't get it work. How can I troubleshoot CoA on Instant? coa-request to instant VC is captured via wireshark.
First client gets a role "Role1" by Radius radreply attribute Filter-Id, this works. Using radclient to disconnect clients works too and clients reauthenticate immediately which is expect behavior.
I can verfiy this on Virtual Controller by "show derivation-rules"
Now the problem,
send a coa request and receive CoA-ACK, ok
I don't know why there is a immediate Access-Challenge after sending coa request. Can I troubleshoot on VC why it doesnt update client user role to "Role2" and why client initiate a Access-Challange on Instant VC.
Role2 is created on VC and RFC3576 is enabled for auth-server
I removed the Role assignments for ssid-profile
and also i changed radreply attribute Filter-Id to Aruba-User-Role
Still the same result. I think the immediate Access-Challenge overwrites the coa-request on instant VC, is there a way to verify this on the VC log?
On VC Support Command: AP Log ALL, I can see that VC handle the stm_rfc3576_request and executes handle_disconnect_user. Does this explain the immediate Access-Challenge after the coa-request?
Jun 19 11:27:08 stm: stm: rfc3576 req 0 for a0:8d:16:9d:fb:2f:172.31.98.122 (role=) from:10.0.99.24Jun 19 11:27:08 stm: stm stm_rfc3576_request, 230: wired flag for client a0:8d:16:9d:fb:2f is 0Jun 19 11:27:08 stm: handle_disconnect_user: 10659: sci->mac_authenticate=0 sci->captive_portal=0 sta->dot1xctx=0x1fe33c
see log file attached.
Please let me know if you need further log.
I'm using freeradius 3.0.16 on ubuntu and have the aruba VSA for freeradius placed in /usr/share/freeradius
I read the post:
What attribute do I use when configuring an RFC3576 server for change of authorization?
by aruba emplyoee aarunkumar
I assume this can work on Instant.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.