What attribute do I use when configuring an RFC3576 server for change of authorization?

Aruba Employee
Aruba Employee
Product and Software: This article applies to all Aruba Mobility Controllers and ArubaOS 3.x. 

From RFC3576: 

   “The RADIUS protocol, defined in [RFC2865], does not support 
   unsolicited messages sent from the RADIUS server to the Network 
   Access Server (NAS). 

   However, there are many instances in which it is desirable for 
   changes to be made to session characteristics, without requiring the 
   NAS to initiate the exchange.  For example, it may be desirable for 
   administrators to be able to terminate a user session in progress. 
   Alternatively, if the user changes authorization level, this may 
   require that authorization attributes be added/deleted from a user 

   To overcome these limitations, several vendors have implemented 
   additional RADIUS commands in order to be able to support unsolicited 
   messages sent from the RADIUS server to the NAS.  These extended 
   commands provide support for Disconnect and Change-of-Authorization 
   (CoA) messages.  Disconnect messages cause a user session to be 
   terminated immediately, whereas CoA messages modify session 
   authorization attributes such as data filters.” 

To use CoA, the RFC3576 server needs to be configured to use ‘filter-id’ as one of the supplement attribute. 

The ‘Aruba-User-Role’ is not supported. 

Also, ESI license is required on the Aruba controller. 

This example uses the FreeRADIUS client as the testing utility. 

On Aruba controller: 
(ke1929-w1) #show aaa profile rfc3576 

AAA Profile "rfc3576" 
Parameter                           Value 
---------                           ----- 
Initial role                        logon 
MAC Authentication Profile          N/A 
MAC Authentication Default Role     guest 
MAC Authentication Server Group     default 
802.1X Authentication Profile       rfc3576 
802.1X Authentication Default Role  guest 
802.1X Authentication Server Group  internal 
RADIUS Accounting Server Group      N/A 
XML API server                      N/A 
RFC 3576 server            
User derivation rules               N/A 
Wired to Wireless Roaming           Enabled 

(ke1929-w1) #show aaa rfc-3576-server ? 
|                       Output Modifiers 

(ke1929-w1) #show aaa rfc-3576-server 

RFC 3576 Server "" 
Parameter  Value 
---------  ----- 
Key        aruba123 

(ke1929-w1) #show license 

License Table 
Key                                  Installed   Expires  Flags  Service Type 
---                                  ---------   -------  -----  ------------ 
+QPKOMv9-QQFKySuB-4nHiPGPa-4wUy2...  2008-03-26  Never     E     Policy Enforcement Firewall 
gKtQ5piW-wcfbrqVq-n/HIHk/9-6MoC9...  2008-03-26  Never     E     Wireless Intrusion Protection 
j2yAbp3s-wZgADP2Z-NoSK+hVk-Sa+vz...  2009-03-09  Never     E     External Services Interface 

License Entries: 3 

Flags: A - auto-generated; E - enabled; R - reboot required to activate 

On the RADIUS server (Linux): 
echo -e "User-Name =aaa\nFilter-Id = authenticated" | radclient  -n 1 -x coa aruba123 

This command is to change the user role of ‘aaa’ to ‘authenticated’ on the Aruba controller. 

If it is successful, the Aruba controller returns a CoA-ACK. 
Version history
Revision #:
1 of 1
Last update:
‎07-09-2014 01:12 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: