Controllerless Networks

Hi All

 

Just a quick one. We run a cloud based  captive portal server and RADIUS that is outside the customer LAN. What is the correct solution when using more than a single IAP on site with an external RADIUS server, to allow us to send CoA / Disconnect messages back to the IAP(s) should we wish to change the role or disconnect a session?

 

The challenge will of course be the firewall too because we'll need to enable CoA support on the IAPs and also open UDP 3799 from our RADIUS server(s) to the internet network that hosts the IAPs. But, we can't port forward 3799 to multiple internal IP addresses, so where do we send the CoA to - the IAP that authenticated the user, or the master, or?

 

I was thinking that if we used the "Dynamic radius proxy" option within the IAP settings, this would make the master perform all RADIUS and Accounting transactions with our RADIUS server, so we should direct CoA / DM packets back at this master IAP?

 

Finally, what RADIUS attributes (as a minumum) are required to identify the user? Is Calling-Station-Id enough?

 

Thanks

 

James

Hello James!

 

Yes, Dynamic Radius Proxy so that all radius goes through one IAP, and from Clearpass you want to use Calling-Station-Id in your policy to target the correct user. Note that you can have DRP traffic in a different VLAN thatnthe IAP Cluster IP's.

Many thanks for the reply. We're not use Clearpass but a third-party external RADIUS server, but I presume we should target UDP port 3799 to the public IP and then port forward to the master AP's internal LAN IP?

 

Thanks

 

James

You should be able to decide what port to use for CoA when you define the Radius Client - that way you can decide the port to use for CoA -> NAT.