Controllerless Networks

last person joined: an hour ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

Radius CoA with Instant

Jump to Best Answer
  • 1.  Radius CoA with Instant

    Posted Jun 19, 2018 07:07 AM
      |   view attached

    I want to change user role of a client with Radius CoA, however I can't get it work. How can I troubleshoot CoA on Instant? coa-request to instant VC is captured via wireshark.


    First client gets a role "Role1" by Radius radreply attribute Filter-Id, this works. Using radclient to disconnect clients works too and clients reauthenticate immediately which is expect behavior.


    I can verfiy this on Virtual Controller by "show derivation-rules"

    show derivation-rulesshow derivation-rules


    Now the problem,

    send a coa request and receive CoA-ACK, ok

    radclient coa.png


    I don't know why there is a immediate Access-Challenge after sending coa request. Can I troubleshoot on VC why it doesnt update client user role to "Role2" and why client initiate a Access-Challange on Instant VC.


    Role2 is created on VC and RFC3576 is enabled for auth-server




    instant_VC.cfg.txt   3K 1 version

  • 2.  RE: Radius CoA with Instant

    Posted Jun 19, 2018 07:14 AM
    You should not be using derivation rules. Return the first role using the Aruba-User-Role VSA.

    Remove all derivation rules and try again.

  • 3.  RE: Radius CoA with Instant

    Posted Jun 19, 2018 07:44 AM
      |   view attached

    I removed the Role assignments for ssid-profile


    and also i changed radreply attribute Filter-Id to Aruba-User-Role


    Still the same result. I think the immediate Access-Challenge overwrites the coa-request on instant VC, is there a way to verify this on the VC log?


    On VC Support Command: AP Log ALL, I can see that VC handle the stm_rfc3576_request and executes handle_disconnect_user. Does this explain the immediate Access-Challenge after the coa-request?


    Jun 19 11:27:08  stm[3694]: stm: rfc3576 req 0 for a0:8d:16:9d:fb:2f: (role=) from:
    Jun 19 11:27:08  stm[3694]: stm stm_rfc3576_request, 230: wired flag for client a0:8d:16:9d:fb:2f is 0
    Jun 19 11:27:08  stm[3694]: handle_disconnect_user: 10659: sci->mac_authenticate=0 sci->captive_portal=0 sta->dot1xctx=0x1fe33c


    see log file attached.


    Please let me know if you need further log.





    command_AP_Log_All.txt   9K 1 version

  • 4.  RE: Radius CoA with Instant

    Posted Jun 19, 2018 07:46 AM
    What is your RADIUS server?

  • 5.  RE: Radius CoA with Instant

    Posted Jun 19, 2018 07:56 AM

    I'm using freeradius 3.0.16 on ubuntu and have the aruba VSA for freeradius placed in /usr/share/freeradius


    I read the post:

    What attribute do I use when configuring an RFC3576 server for change of authorization?

    by aruba emplyoee aarunkumar



    I assume this can work on Instant.


  • 6.  RE: Radius CoA with Instant
    Best Answer

    Posted Jun 19, 2018 07:58 AM
    Change User Role uses filter-id for the role name. But do not configure an SDR.