So I think we’ve refined the problem to two methods. Method one is a Radius-Disconnect. It does not appear that AVP type 55 is supported with that method. Method two is a CoA-Reauth. Looking at packet captures provided to me from ISE, it does appear that AVP type 55 is expected for that form.
I am working with Extreme to figure out how we can either remove type 55 from a Disconnect, or force an actual CoA-Reauth instead of a Disconnect. I think a lot of folks never have to deal with this, because they stick to single vendor solutions. We had to tackle this back with Aruba years ago. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Turner, Ryan H Sent: Friday, April 17, 2020 1:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Thank you!. You are getting ACKs on both, and the ‘Disconnect’ that matches what we are doing omits the Time Stamp AVP. The Coa-Reauth has has time time stamp. I am a little confused. Did the first or second fail? From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Jake Snyder Sent: Friday, April 17, 2020 1:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Here are some PCAPs for you folks. https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0 One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My Reauth from CPPM failed). Also, if you run *debug aaa events enable* on the Cisco WLC it will likely tell you which attribute it hates/needs. Thanks Jake On Apr 17, 2020, at 11:06 AM, Jake Snyder <jsnyde...@gmail.com<mailto:jsnyde...@gmail.com>> wrote: Care to share a link to the doc? On Apr 17, 2020, at 10:13 AM, Turner, Ryan H <rhtur...@email.unc.edu<mailto:rhtur...@email.unc.edu>> wrote: I really think Felix hit the nail on the head. I found the documentation with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) is NOT a supported option. We are getting NAKs back stating that we are sending an ‘Unsupported Attribute’. I am asking Extreme how to strip 55 out of the CoA. In the meantime, I have also asked the other institution to look at their configs and validate 3799. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Curtis K. Larsen Sent: Friday, April 17, 2020 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence. ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H <rhtur...@email.unc.edu<mailto:rhtur...@email.unc.edu>> Sent: Friday, April 17, 2020 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) I reversed that. The standard is 3799, and I know Cisco tends to use 1700. But I see plenty of documentation on 3799 for Cisco. I’ll confirm. From: Turner, Ryan H Sent: Friday, April 17, 2020 12:00 PM To: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) So apparently that changed. If you search on Cisco, you will note that they seemed to go away from the default port. I do not think we would be getting a properly formatted NAK if we were sending to the wrong port. But I am going to ask the other institution to validate that. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms Sent: Friday, April 17, 2020 11:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700. Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective: https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing Source - https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ Thanks Abhi On Apr 17, 2020, at 8:07 AM, Turner, Ryan H <rhtur...@email.unc.edu<mailto:rhtur...@email.unc.edu>> wrote: Thank you Felix. We do have this attribute present. Let me see if I can get it removed. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt Sent: Friday, April 17, 2020 9:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking CoAs when the Event-Timestamp attribute was present. thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Turner, Ryan H" <rhtur...@email.unc.edu<mailto:rhtur...@email.unc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, April 17, 2020 at 9:26 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We currently use Extreme Network Access Control. We have had this for 14 years and it works very well. We integrated it with Aruba wireless years ago, and we are able to send back filter IDs on the initial authentication to change roles, as well as issue disconnects to the user, forcing them to reauthenticate to their new policy (for example, a user is online and doing something bad, we send a disconnect message to the controllers and the user reconnects and authenticates with the new role). We are now having to integrate with another institutions Cisco wireless controllers. We have the authentication stuff working great. But we are unable to get the disconnect/CoA to work. We believe we have the correct format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I think it is UDP 3799 off the top of my head). We are getting back NAKs, and the message indicated is ‘invalid attributes’. We aren’t sure what attributes to send back for the disconnect. Obviously the other third party NACs have to do this correctly, but I’ve been unable to find documentation. Extreme has some old documentation, but it appears wrong. Any experts out there on this? Anyone willing to do a reauthentication from their NAC to their controllers and send us the packet trace? If we know what attributes you are sending, that is likely what we need to make this work. I’ve opened a ticket to Extreme, and I’ve asked the other institution to open a ticket with Cisco. But this may get me results quicker. Thanks! Ryan Turner Head of Networking Communication Technologies | Information Technology Services r...@unc.edu<mailto:r...@unc.edu> +1 919 445 0113 (Office) +1 919 274 7926 (Mobile) ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cfelix.windt%40DARTMOUTH.EDU%7Cc9e908903f6e46cf822108d7e2d2f0fb%7C995b093648d640e5a31ebf689ec9446f%7C0%7C0%7C637227267926747319&sdata=WnCm87U42oIY9FHU8F3T0OteowYT3ihSRQQd9h92%2F5Y%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
