Security

Does aruba controller support switching vlan using CoA after authenticated?

I have aruba 3600 and AP configured vlan id(1, 40, 50,...).

When client phone connect to the AP,  my radius server accept the client with bellow attributes.

Tunnel-Type = VLAN

Tunnel-Medium-Type = IEEE-802

Tunnel-Private-Group-Id = 40

After authentication i checked vlan id 

(Aruba-master) # show ap association.

It showed vland id 40.

I sent CoA request to the controller to switch vlan id 50 with following attributes. I am not using clearpass or others..., just my application send CoA request to the controller.

Tunnel-Type = VLAN

Tunnel-Medium-Type = IEEE-802

Tunnel-Private-Group-Id = 50

Then the controller replied CoA-ACK. It seems there was no problem.

but when i check vlan id again with cli (Aruba-master) # show ap association).

vlan id is same 40.

I tried sending  vendor specific attributes like

Aruba-User-Vlan

Aruba-Port-Bounce-Host

Aruba-User-Role

Aruba 3600 controller replies CoA ACK but vlan id doesnt have new vlan id.

does anyone know why?

I don't have much network knowledge but if someone wants more information with my issue. i can describe more detail.

http://community.arubanetworks.com/t5/Controller-Based-WLANs/Does-Aruba-Controller-support-switching-vlan-using-COA/ta-p/194579

Thank you for the fast answer.

I read the thread before i post my issue.

Actually, i don't understand the answer by Shyam_Moolayilkalarikkal.

When the client's vlan is switched using the COA - Aruba Terminate session, Aruba Controller does change the vlan but the client doesn't get the ip address in the new vlan. If dhcp release / renew or aaa user delete is initiated then the client does get the ip address from the new vlan.

According to Shyam_Moolayilkalarikkal, aruba controller does change the vlan

but in my case, the vlan always is not changed.

getting new ipaddress is out of my question.

When you do not see the vlan change in the session, please verify your radius setup.

Are you using clearpass? Does clearpass send the correct vlan?

---

@jinyoung wrote:

Thank you for the fast answer.

 

I read the thread before i post my issue.

 

Actually, i don't understand the answer by Shyam_Moolayilkalarikkal.

 

When the client's vlan is switched using the COA - Aruba Terminate session, Aruba Controller does change the vlan but the client doesn't get the ip address in the new vlan. If dhcp release / renew or aaa user delete is initiated then the client does get the ip address from the new vlan.

According to Shyam_Moolayilkalarikkal, aruba controller does change the vlan

but in my case, the vlan always is not changed.

getting new ipaddress is out of my question.

---

Did you configure an RFC 3576 profile on the Controller?   It is required for a COA. If you did, you should probably do a user debug and see what is going on with that client when you send the command.

I tried Disconnect request it worked correctly.

But I think CoA is more elegant way that client user can not notice what is going on back size. Because when i send disconnect, client android phone lose wifi connection then reconnect and android phone shows current wifi status using short message box on screen. and another reason is sometimes the phone tries to connect another wifi(not my ap).

That is why i want to use Coa.

Do you have any idea?

if you just change VLAN, the client will not notice this. Because of this, client will not perform DHCP refresh. That's why manually refreshing/renewing IP address works.

If you disconnect, client will notice this. But getting kicked out has some disadvantages. Thats why I try to omit VLAN changes.

Webauth on Aruba/Procurve switches uses a short DHCP lease time to circumvent this. But even with lease time of 5 minutes your clients have to wait a little, till IP gets refreshed...

Maybe instead of changing VLAN you can reach same level of security by using two different user-roles with different ACLs?

Regards, Jörg

Thanks everyone.

I had configuried already RFC 3576 Server. It is working well with Disconnect request. and in log message, there was no error about CoA or radius.

anyway thank you for your advice.