Security

Reply
Highlighted
Regular Contributor II

CoA and Guest - NAS Type / CoA Type?

Hi there,

 

I wonder how does "CoA" works with Guest?

 

I see under "Configuration > Authentication" the option for "Dynamic Authorization" with a NAS Type Option. 

Say I have multiple NAS from different brands. How will this work, given that I can only select one "NAS Type" for all the Guest installation.

Also, say I add a "change_of_authorization" field to a form. What CoA type and NAS will the guest system use? Cisco, Aruba, Generic? Bounce, Terminate, Reauth? I'm puzzled.

 

Thanks


Accepted Solutions
Highlighted
Moderator

Re: CoA and Guest - NAS Type?

Requests are only generated on a device registration create event. Use the screenshots below for that service.

 

Guest will automatically try to make a CoA-Request when the role is changed in the form. Guest will look for the role name in a Dynamic Authorization Enforcement Profile Name and if found, will attempt to make the request.

 

Screen Shot 2019-01-21 at 12.24.17 PM.pngScreen Shot 2019-01-21 at 12.24.23 PM.png



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Moderator

Re: CoA and Guest - NAS Type?

- Is there no option to also send CoA when I edit the device?

>> WEBAUTH requests are only generated during a device create event.

 

- What is the use of the "change_of_authorization" field? Will it only work for mac_create?

>> This is what triggers the WEBAUTH. It's only used with Device Registration.

 

- When I remove the mactrac device I do not see anything on Policy Manager. How does the disconnect works in this case?

>> As mentioned, it's only on create.

 

- What is the use for Configuration > Authentication > Dynamic Authorization,  and how does it work when I have multiple different NAS types?

>> It's not used.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post


All Replies
Highlighted
Moderator

Re: CoA and Guest - NAS Type?

What are you trying to do? Policy Manager handles mostly everything for Dynamic Authorization.

The field in the form simply generates a request that you can write policy against.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Regular Contributor II

Re: CoA and Guest - NAS Type?

I see.

Can you shortly explain how can I "glue" the field to the Policy Manager?

What kind of service should I create, and how does it work?

 

What I'm trying to do is:

- Send a CoA reauth when a user creates or edits a mactrac device

- Send a CoA terminate when the user deletes the mactrac device

 

Thanks

Highlighted
Moderator

Re: CoA and Guest - NAS Type?

Requests are only generated on a device registration create event. Use the screenshots below for that service.

 

Guest will automatically try to make a CoA-Request when the role is changed in the form. Guest will look for the role name in a Dynamic Authorization Enforcement Profile Name and if found, will attempt to make the request.

 

Screen Shot 2019-01-21 at 12.24.17 PM.pngScreen Shot 2019-01-21 at 12.24.23 PM.png



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Regular Contributor II

Re: CoA and Guest - NAS Type?

Hi Tim,

 

Thanks for your patience.

That solution works perfectly.

 

But I still have some doubts:

- Is there no option to also send CoA when I edit the device?

- What is the use of the "change_of_authorization" field? Will it only work for mac_create?

- When I remove the mactrac device I do not see anything on Policy Manager. How does the disconnect works in this case?

- What is the use for Configuration > Authentication > Dynamic Authorization,  and how does it work when I have multiple different NAS types?

 

Thanks

Highlighted
Moderator

Re: CoA and Guest - NAS Type?

- Is there no option to also send CoA when I edit the device?

>> WEBAUTH requests are only generated during a device create event.

 

- What is the use of the "change_of_authorization" field? Will it only work for mac_create?

>> This is what triggers the WEBAUTH. It's only used with Device Registration.

 

- When I remove the mactrac device I do not see anything on Policy Manager. How does the disconnect works in this case?

>> As mentioned, it's only on create.

 

- What is the use for Configuration > Authentication > Dynamic Authorization,  and how does it work when I have multiple different NAS types?

>> It's not used.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Regular Contributor II

Re: CoA and Guest - NAS Type?

Any change of explaining this better?

 

Guest will automatically try to make a CoA-Request when the role is changed in the form. Guest will look for the role name in a Dynamic Authorization Enforcement Profile Name and if found, will attempt to make the request.

 

Edit: https://www.arubanetworks.com/techdocs/ClearPass/6.6/Guest/Content/GuestManagement/ManagingGuestAccounts_changeRole.htm

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: