Controllerless Networks

Reply
New Contributor

Radius CoA with Instant

I want to change user role of a client with Radius CoA, however I can't get it work. How can I troubleshoot CoA on Instant? coa-request to instant VC is captured via wireshark.

 

First client gets a role "Role1" by Radius radreply attribute Filter-Id, this works. Using radclient to disconnect clients works too and clients reauthenticate immediately which is expect behavior.

 

I can verfiy this on Virtual Controller by "show derivation-rules"

show derivation-rules.pngshow derivation-rules

 

Now the problem,

send a coa request and receive CoA-ACK, ok

radclient coa.png

wireshark.png

I don't know why there is a immediate Access-Challenge after sending coa request. Can I troubleshoot on VC why it doesnt update client user role to "Role2" and why client initiate a Access-Challange on Instant VC.

 

Role2 is created on VC and RFC3576 is enabled for auth-server

 

 

Guru Elite

Re: Radius CoA with Instant

You should not be using derivation rules. Return the first role using the Aruba-User-Role VSA.

Remove all derivation rules and try again.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Radius CoA with Instant

I removed the Role assignments for ssid-profile

roles.png

and also i changed radreply attribute Filter-Id to Aruba-User-Role

radreply_2.png

Still the same result. I think the immediate Access-Challenge overwrites the coa-request on instant VC, is there a way to verify this on the VC log?

 

On VC Support Command: AP Log ALL, I can see that VC handle the stm_rfc3576_request and executes handle_disconnect_user. Does this explain the immediate Access-Challenge after the coa-request?

 

Jun 19 11:27:08  stm[3694]: stm: rfc3576 req 0 for a0:8d:16:9d:fb:2f:172.31.98.122 (role=) from:10.0.99.24
Jun 19 11:27:08  stm[3694]: stm stm_rfc3576_request, 230: wired flag for client a0:8d:16:9d:fb:2f is 0
Jun 19 11:27:08  stm[3694]: handle_disconnect_user: 10659: sci->mac_authenticate=0 sci->captive_portal=0 sta->dot1xctx=0x1fe33c

 

see log file attached.

 

Please let me know if you need further log.

 

regards,

Peter

Guru Elite

Re: Radius CoA with Instant

What is your RADIUS server?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Radius CoA with Instant

I'm using freeradius 3.0.16 on ubuntu and have the aruba VSA for freeradius placed in /usr/share/freeradius

 

I read the post:

What attribute do I use when configuring an RFC3576 server for change of authorization?

by aruba emplyoee aarunkumar

 

https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-attribute-do-I-use-when-configuring-an-RFC3576-server-for/ta-p/183484

 

I assume this can work on Instant.

 

Guru Elite

Re: Radius CoA with Instant

Change User Role uses filter-id for the role name. But do not configure an SDR.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: