Controllerless Networks

last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Radius CoA with Instant

This thread has been viewed 14 times

  • 1.  Radius CoA with Instant

    Posted Jun 19, 2018 07:07 AM
      |   view attached

    I want to change user role of a client with Radius CoA, however I can't get it work. How can I troubleshoot CoA on Instant? coa-request to instant VC is captured via wireshark.

     

    First client gets a role "Role1" by Radius radreply attribute Filter-Id, this works. Using radclient to disconnect clients works too and clients reauthenticate immediately which is expect behavior.

     

    I can verfiy this on Virtual Controller by "show derivation-rules"

    show derivation-rulesshow derivation-rules

     

    Now the problem,

    send a coa request and receive CoA-ACK, ok

    radclient coa.png

    wireshark.png

    I don't know why there is a immediate Access-Challenge after sending coa request. Can I troubleshoot on VC why it doesnt update client user role to "Role2" and why client initiate a Access-Challange on Instant VC.

     

    Role2 is created on VC and RFC3576 is enabled for auth-server

     

     

    Attachment(s)

    txt
    instant_VC.cfg.txt   3 KB 1 version


  • 2.  RE: Radius CoA with Instant

    EMPLOYEE
    Posted Jun 19, 2018 07:14 AM
    You should not be using derivation rules. Return the first role using the Aruba-User-Role VSA.

    Remove all derivation rules and try again.


  • 3.  RE: Radius CoA with Instant

    Posted Jun 19, 2018 07:44 AM
      |   view attached

    I removed the Role assignments for ssid-profile

    roles.png

    and also i changed radreply attribute Filter-Id to Aruba-User-Role

    radreply_2.png

    Still the same result. I think the immediate Access-Challenge overwrites the coa-request on instant VC, is there a way to verify this on the VC log?

     

    On VC Support Command: AP Log ALL, I can see that VC handle the stm_rfc3576_request and executes handle_disconnect_user. Does this explain the immediate Access-Challenge after the coa-request?

     

    Jun 19 11:27:08  stm[3694]: stm: rfc3576 req 0 for a0:8d:16:9d:fb:2f:172.31.98.122 (role=) from:10.0.99.24
    Jun 19 11:27:08  stm[3694]: stm stm_rfc3576_request, 230: wired flag for client a0:8d:16:9d:fb:2f is 0
    Jun 19 11:27:08  stm[3694]: handle_disconnect_user: 10659: sci->mac_authenticate=0 sci->captive_portal=0 sta->dot1xctx=0x1fe33c

     

    see log file attached.

     

    Please let me know if you need further log.

     

    regards,

    Peter

    Attachment(s)

    txt
    command_AP_Log_All.txt   9 KB 1 version


  • 4.  RE: Radius CoA with Instant

    EMPLOYEE
    Posted Jun 19, 2018 07:46 AM
    What is your RADIUS server?


  • 5.  RE: Radius CoA with Instant

    Posted Jun 19, 2018 07:56 AM

    I'm using freeradius 3.0.16 on ubuntu and have the aruba VSA for freeradius placed in /usr/share/freeradius

     

    I read the post:

    What attribute do I use when configuring an RFC3576 server for change of authorization?

    by aruba emplyoee aarunkumar

     

    https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-attribute-do-I-use-when-configuring-an-RFC3576-server-for/ta-p/183484

     

    I assume this can work on Instant.

     



  • 6.  RE: Radius CoA with Instant
    Best Answer

    EMPLOYEE
    Posted Jun 19, 2018 07:58 AM
    Change User Role uses filter-id for the role name. But do not configure an SDR.