Is COA supported for bridge mode SSID?

MVP
MVP
Q:

Does Controller supports CoA for bridge mode SSID? 



A:

ArubaOS supports multiple forwarding modes for SSIDs.

  • Tunnel
  • Split-Tunnel
  • Decrypt-Tunnel
  • Bridge mode.

Dot1x authentication is supported in all VAP modes (Tunnel, Split-tunnel, Decrypt-tunnel and Bridge).

Bridge mode SSID can be configured in RAP where clients can get authenticated with corporate RADIUS server behind the controller, but can pass the traffic locally.

With dot1x authentication, clients can get authenticated where their authentication will happen with RADIUS server. Only the management (authentication) traffic is sent inside the tunnel between the RAP to controller. After successful authentication, all the data traffic from the client will be forwarded locally via RAP's uplink.

For clients connecting with 802.1x authentication, CoA (Change of Authorization) might be required in case if we need to disconnect the client from the RADIUS server or change its role based on the policy configured in the RADIUS server. 

Though Bridge mode SSID supports Dot1x authentication,  CoA is not supported on bridge mode SSID. 

CoA is supported only on tunnel, split-tunnel and decrypt-tunnel forwarding modes. 

Version history
Revision #:
2 of 2
Last update:
‎09-26-2019 03:36 AM
Updated by:
 
Labels (1)
Contributors