Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
On 19/4/20 4:08 am, Turner, Ryan H wrote: > > All, > > > > We think we resolved it. As others said before, it was the port we > was wrong. As soon as we changed it to 1700, everything worked. The > thing that has me scratching my head is why the Cisco WLC would be > responding with properly formatted NAKs when we were sending to the > wrong port. This is probably a bad analogy, but it would be like your > http server deciding to respond to a random port instead of 80. > > > > Happy this worked out, and I appreciate the captures. As it turns > out, we are still sending the AVP type 55, and the WLC is not complaining. > I would be interested to see what you have in XMC/Control/Access Control/Configuration/Global Settings/Engine Settings/Reauthentication/Switch Reauthentication Configuration/the appropriate sysObjectId for the Cisco WLC/Edit.../RFC 3576 Configuration, and then what Manage RFC 3576 Configurations... has. I have this, which has the correct port: -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
I uploaded the failed Reauth from CPPM along with the debug from the controller to that folder if you want to see what the output was. The WLC tells you what it likes/disliked. > On Apr 17, 2020, at 11:49 AM, Jake Snyder wrote: > > Both of those worked. Both received ACKs from the WLC. > > > >> On Apr 17, 2020, at 11:38 AM, Turner, Ryan H > <mailto:rhtur...@email.unc.edu>> wrote: >> >> Thank you!. You are getting ACKs on both, and the ‘Disconnect’ that matches >> what we are doing omits the Time Stamp AVP. The Coa-Reauth has has time >> time stamp. I am a little confused. Did the first or second fail? >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jake Snyder >> Sent: Friday, April 17, 2020 1:28 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change >> of Authorization) >> >> Here are some PCAPs for you folks. >> https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0 >> <https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0> >> >> One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My >> Reauth from CPPM failed). >> >> Also, if you run *debug aaa events enable* on the Cisco WLC it will likely >> tell you which attribute it hates/needs. >> >> Thanks >> Jake >> >> >> >> On Apr 17, 2020, at 11:06 AM, Jake Snyder > <mailto:jsnyde...@gmail.com>> wrote: >> >> Care to share a link to the doc? >> >> >> >> On Apr 17, 2020, at 10:13 AM, Turner, Ryan H > <mailto:rhtur...@email.unc.edu>> wrote: >> >> I really think Felix hit the nail on the head. I found the documentation >> with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) >> is NOT a supported option. We are getting NAKs back stating that we are >> sending an ‘Unsupported Attribute’. I am asking Extreme how to strip 55 out >> of the CoA. In the meantime, I have also asked the other institution to >> look at their configs and validate 3799. >> >> Ryan >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Curtis K. Larsen >> Sent: Friday, April 17, 2020 12:03 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change >> of Authorization) >> >> We use 1700 as well for our CoA stuff against the Cisco 8540 with >> PacketFence. >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H >> mailto:rhtur...@email.unc.edu>> >> Sent: Friday, April 17, 2020 10:01 AM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> >> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change >> of Authorization) >> >> I reversed that. The standard is 3799, and I know Cisco tends to use 1700. >> But I see plenty of documentation on 3799 for Cisco. I’ll confirm. >> >> From: Turner, Ryan H >> Sent: Friday, April 17, 2020 12:00 PM >> To: The EDUCAUSE Wireless Issues Community Group Listserv >> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> >> Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change >> of Authorization) >> >> So apparently that changed. If you search on Cisco, you will note that they >> seemed to go away from the default port. I do not think we would be getting >> a properly formatted NAK if we were sending to the wrong port. But I am >> going to ask the other institution to validate that. >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms >> Sent: Friday, April 17, 2020 11:25 AM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change >> of Authorization) >> >> Ryan, >> >> Have you tried UDP port 1700. >> A
RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
I misunderstood your second part. Thank you very much. I think we have the problem sufficiently narrowed… I love getting deep into RADIUS stuff. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jake Snyder Sent: Friday, April 17, 2020 1:50 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Both of those worked. Both received ACKs from the WLC. On Apr 17, 2020, at 11:38 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: Thank you!. You are getting ACKs on both, and the ‘Disconnect’ that matches what we are doing omits the Time Stamp AVP. The Coa-Reauth has has time time stamp. I am a little confused. Did the first or second fail? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jake Snyder Sent: Friday, April 17, 2020 1:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Here are some PCAPs for you folks. https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0 One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My Reauth from CPPM failed). Also, if you run *debug aaa events enable* on the Cisco WLC it will likely tell you which attribute it hates/needs. Thanks Jake On Apr 17, 2020, at 11:06 AM, Jake Snyder mailto:jsnyde...@gmail.com>> wrote: Care to share a link to the doc? On Apr 17, 2020, at 10:13 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: I really think Felix hit the nail on the head. I found the documentation with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) is NOT a supported option. We are getting NAKs back stating that we are sending an ‘Unsupported Attribute’. I am asking Extreme how to strip 55 out of the CoA. In the meantime, I have also asked the other institution to look at their configs and validate 3799. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Curtis K. Larsen Sent: Friday, April 17, 2020 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H mailto:rhtur...@email.unc.edu>> Sent: Friday, April 17, 2020 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) I reversed that. The standard is 3799, and I know Cisco tends to use 1700. But I see plenty of documentation on 3799 for Cisco. I’ll confirm. From: Turner, Ryan H Sent: Friday, April 17, 2020 12:00 PM To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) So apparently that changed. If you search on Cisco, you will note that they seemed to go away from the default port. I do not think we would be getting a properly formatted NAK if we were sending to the wrong port. But I am going to ask the other institution to validate that. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms Sent: Friday, April 17, 2020 11:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700. Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective: https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing Source - https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ Thanks Abhi On Apr 17, 2020, at 8:07 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: Thank you Felix. We do have this attribute present. Let me see if I can get it removed. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt Sent: Friday, April 17, 2020 9:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE
Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
Both of those worked. Both received ACKs from the WLC. > On Apr 17, 2020, at 11:38 AM, Turner, Ryan H wrote: > > Thank you!. You are getting ACKs on both, and the ‘Disconnect’ that matches > what we are doing omits the Time Stamp AVP. The Coa-Reauth has has time time > stamp. I am a little confused. Did the first or second fail? > > From: The EDUCAUSE Wireless Issues Community Group Listserv > On Behalf Of Jake Snyder > Sent: Friday, April 17, 2020 1:28 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change > of Authorization) > > Here are some PCAPs for you folks. > https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0 > <https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0> > > One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My > Reauth from CPPM failed). > > Also, if you run *debug aaa events enable* on the Cisco WLC it will likely > tell you which attribute it hates/needs. > > Thanks > Jake > > > > On Apr 17, 2020, at 11:06 AM, Jake Snyder <mailto:jsnyde...@gmail.com>> wrote: > > Care to share a link to the doc? > > > > On Apr 17, 2020, at 10:13 AM, Turner, Ryan H <mailto:rhtur...@email.unc.edu>> wrote: > > I really think Felix hit the nail on the head. I found the documentation > with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) > is NOT a supported option. We are getting NAKs back stating that we are > sending an ‘Unsupported Attribute’. I am asking Extreme how to strip 55 out > of the CoA. In the meantime, I have also asked the other institution to look > at their configs and validate 3799. > > Ryan > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Curtis K. Larsen > Sent: Friday, April 17, 2020 12:03 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change > of Authorization) > > We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H > mailto:rhtur...@email.unc.edu>> > Sent: Friday, April 17, 2020 10:01 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change > of Authorization) > > I reversed that. The standard is 3799, and I know Cisco tends to use 1700. > But I see plenty of documentation on 3799 for Cisco. I’ll confirm. > > From: Turner, Ryan H > Sent: Friday, April 17, 2020 12:00 PM > To: The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change > of Authorization) > > So apparently that changed. If you search on Cisco, you will note that they > seemed to go away from the default port. I do not think we would be getting > a properly formatted NAK if we were sending to the wrong port. But I am > going to ask the other institution to validate that. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms > Sent: Friday, April 17, 2020 11:25 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change > of Authorization) > > Ryan, > > Have you tried UDP port 1700. > As far as I can remember, the default port when adding a radius client for a > cisco device was 1700. > > Also - I usually refer to this link that has the different CoA pcaps captured > from a cisco perspective: > > https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing > > <https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing> > > Source - > https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ > <https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/> > > Thanks > Abhi > > > > On Apr 17, 2020, at 8:07 AM, Turner, Ryan H <mailto:rhtur...@email.unc.edu>> wrote: > > > Thank you Felix. We
RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
So I think we’ve refined the problem to two methods. Method one is a Radius-Disconnect. It does not appear that AVP type 55 is supported with that method. Method two is a CoA-Reauth. Looking at packet captures provided to me from ISE, it does appear that AVP type 55 is expected for that form. I am working with Extreme to figure out how we can either remove type 55 from a Disconnect, or force an actual CoA-Reauth instead of a Disconnect. I think a lot of folks never have to deal with this, because they stick to single vendor solutions. We had to tackle this back with Aruba years ago. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Turner, Ryan H Sent: Friday, April 17, 2020 1:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Thank you!. You are getting ACKs on both, and the ‘Disconnect’ that matches what we are doing omits the Time Stamp AVP. The Coa-Reauth has has time time stamp. I am a little confused. Did the first or second fail? From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jake Snyder Sent: Friday, April 17, 2020 1:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Here are some PCAPs for you folks. https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0 One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My Reauth from CPPM failed). Also, if you run *debug aaa events enable* on the Cisco WLC it will likely tell you which attribute it hates/needs. Thanks Jake On Apr 17, 2020, at 11:06 AM, Jake Snyder mailto:jsnyde...@gmail.com>> wrote: Care to share a link to the doc? On Apr 17, 2020, at 10:13 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: I really think Felix hit the nail on the head. I found the documentation with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) is NOT a supported option. We are getting NAKs back stating that we are sending an ‘Unsupported Attribute’. I am asking Extreme how to strip 55 out of the CoA. In the meantime, I have also asked the other institution to look at their configs and validate 3799. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Curtis K. Larsen Sent: Friday, April 17, 2020 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H mailto:rhtur...@email.unc.edu>> Sent: Friday, April 17, 2020 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) I reversed that. The standard is 3799, and I know Cisco tends to use 1700. But I see plenty of documentation on 3799 for Cisco. I’ll confirm. From: Turner, Ryan H Sent: Friday, April 17, 2020 12:00 PM To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) So apparently that changed. If you search on Cisco, you will note that they seemed to go away from the default port. I do not think we would be getting a properly formatted NAK if we were sending to the wrong port. But I am going to ask the other institution to validate that. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms Sent: Friday, April 17, 2020 11:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700. Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective: https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing Source - https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ Thanks Abhi On Apr 17, 2020, at 8:07 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: Thank you Felix. We do have this attribute present. Let me see if I can get it removed. From: The EDUCAUSE Wireless Issues Community Group L
RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
Thank you!. You are getting ACKs on both, and the ‘Disconnect’ that matches what we are doing omits the Time Stamp AVP. The Coa-Reauth has has time time stamp. I am a little confused. Did the first or second fail? From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jake Snyder Sent: Friday, April 17, 2020 1:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Here are some PCAPs for you folks. https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0 One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My Reauth from CPPM failed). Also, if you run *debug aaa events enable* on the Cisco WLC it will likely tell you which attribute it hates/needs. Thanks Jake On Apr 17, 2020, at 11:06 AM, Jake Snyder mailto:jsnyde...@gmail.com>> wrote: Care to share a link to the doc? On Apr 17, 2020, at 10:13 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: I really think Felix hit the nail on the head. I found the documentation with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) is NOT a supported option. We are getting NAKs back stating that we are sending an ‘Unsupported Attribute’. I am asking Extreme how to strip 55 out of the CoA. In the meantime, I have also asked the other institution to look at their configs and validate 3799. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Curtis K. Larsen Sent: Friday, April 17, 2020 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H mailto:rhtur...@email.unc.edu>> Sent: Friday, April 17, 2020 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) I reversed that. The standard is 3799, and I know Cisco tends to use 1700. But I see plenty of documentation on 3799 for Cisco. I’ll confirm. From: Turner, Ryan H Sent: Friday, April 17, 2020 12:00 PM To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) So apparently that changed. If you search on Cisco, you will note that they seemed to go away from the default port. I do not think we would be getting a properly formatted NAK if we were sending to the wrong port. But I am going to ask the other institution to validate that. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms Sent: Friday, April 17, 2020 11:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700. Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective: https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing Source - https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ Thanks Abhi On Apr 17, 2020, at 8:07 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: Thank you Felix. We do have this attribute present. Let me see if I can get it removed. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt Sent: Friday, April 17, 2020 9:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking CoAs when the Event-Timestamp attribute was present. thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Turner, Ryan H" mailto:rhtur...@email.unc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, April 17, 2020 at 9:26 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LIST
RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
Thank you!! From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jake Snyder Sent: Friday, April 17, 2020 1:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Here are some PCAPs for you folks. https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0 One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My Reauth from CPPM failed). Also, if you run *debug aaa events enable* on the Cisco WLC it will likely tell you which attribute it hates/needs. Thanks Jake On Apr 17, 2020, at 11:06 AM, Jake Snyder mailto:jsnyde...@gmail.com>> wrote: Care to share a link to the doc? On Apr 17, 2020, at 10:13 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: I really think Felix hit the nail on the head. I found the documentation with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) is NOT a supported option. We are getting NAKs back stating that we are sending an ‘Unsupported Attribute’. I am asking Extreme how to strip 55 out of the CoA. In the meantime, I have also asked the other institution to look at their configs and validate 3799. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Curtis K. Larsen Sent: Friday, April 17, 2020 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H mailto:rhtur...@email.unc.edu>> Sent: Friday, April 17, 2020 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) I reversed that. The standard is 3799, and I know Cisco tends to use 1700. But I see plenty of documentation on 3799 for Cisco. I’ll confirm. From: Turner, Ryan H Sent: Friday, April 17, 2020 12:00 PM To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) So apparently that changed. If you search on Cisco, you will note that they seemed to go away from the default port. I do not think we would be getting a properly formatted NAK if we were sending to the wrong port. But I am going to ask the other institution to validate that. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms Sent: Friday, April 17, 2020 11:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700. Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective: https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing Source - https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ Thanks Abhi On Apr 17, 2020, at 8:07 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: Thank you Felix. We do have this attribute present. Let me see if I can get it removed. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt Sent: Friday, April 17, 2020 9:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking CoAs when the Event-Timestamp attribute was present. thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Turner, Ryan H" mailto:rhtur...@email.unc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, April 17, 2020 at 9:26 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We currently use Extreme Network Acc
RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3se/5700/sec-usr-aaa-xe-3se-5700-book/sec-rad-coa.html From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jake Snyder Sent: Friday, April 17, 2020 1:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Care to share a link to the doc? On Apr 17, 2020, at 10:13 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: I really think Felix hit the nail on the head. I found the documentation with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) is NOT a supported option. We are getting NAKs back stating that we are sending an ‘Unsupported Attribute’. I am asking Extreme how to strip 55 out of the CoA. In the meantime, I have also asked the other institution to look at their configs and validate 3799. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Curtis K. Larsen Sent: Friday, April 17, 2020 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H mailto:rhtur...@email.unc.edu>> Sent: Friday, April 17, 2020 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) I reversed that. The standard is 3799, and I know Cisco tends to use 1700. But I see plenty of documentation on 3799 for Cisco. I’ll confirm. From: Turner, Ryan H Sent: Friday, April 17, 2020 12:00 PM To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) So apparently that changed. If you search on Cisco, you will note that they seemed to go away from the default port. I do not think we would be getting a properly formatted NAK if we were sending to the wrong port. But I am going to ask the other institution to validate that. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms Sent: Friday, April 17, 2020 11:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700. Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective: https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing Source - https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ Thanks Abhi On Apr 17, 2020, at 8:07 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: Thank you Felix. We do have this attribute present. Let me see if I can get it removed. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt Sent: Friday, April 17, 2020 9:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking CoAs when the Event-Timestamp attribute was present. thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Turner, Ryan H" mailto:rhtur...@email.unc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, April 17, 2020 at 9:26 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We currently use Extreme Network Access Control. We have had this for 14 years and it works very well. We integrated it with Aruba wireless years ago, and we are able to send back filter IDs on the initial authentication to change roles, as well as issue disconnects to the user, forcing them to reauthenticate to their new policy
Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
Here are some PCAPs for you folks. https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0 <https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0> One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My Reauth from CPPM failed). Also, if you run *debug aaa events enable* on the Cisco WLC it will likely tell you which attribute it hates/needs. Thanks Jake > On Apr 17, 2020, at 11:06 AM, Jake Snyder wrote: > > Care to share a link to the doc? > > >> On Apr 17, 2020, at 10:13 AM, Turner, Ryan H > <mailto:rhtur...@email.unc.edu>> wrote: >> >> I really think Felix hit the nail on the head. I found the documentation >> with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) >> is NOT a supported option. We are getting NAKs back stating that we are >> sending an ‘Unsupported Attribute’. I am asking Extreme how to strip 55 out >> of the CoA. In the meantime, I have also asked the other institution to >> look at their configs and validate 3799. >> >> Ryan >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Curtis K. Larsen >> Sent: Friday, April 17, 2020 12:03 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change >> of Authorization) >> >> We use 1700 as well for our CoA stuff against the Cisco 8540 with >> PacketFence. >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H >> mailto:rhtur...@email.unc.edu>> >> Sent: Friday, April 17, 2020 10:01 AM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> >> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change >> of Authorization) >> >> I reversed that. The standard is 3799, and I know Cisco tends to use 1700. >> But I see plenty of documentation on 3799 for Cisco. I’ll confirm. >> >> From: Turner, Ryan H >> Sent: Friday, April 17, 2020 12:00 PM >> To: The EDUCAUSE Wireless Issues Community Group Listserv >> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> >> Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change >> of Authorization) >> >> So apparently that changed. If you search on Cisco, you will note that they >> seemed to go away from the default port. I do not think we would be getting >> a properly formatted NAK if we were sending to the wrong port. But I am >> going to ask the other institution to validate that. >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms >> Sent: Friday, April 17, 2020 11:25 AM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change >> of Authorization) >> >> Ryan, >> >> Have you tried UDP port 1700. >> As far as I can remember, the default port when adding a radius client for a >> cisco device was 1700. >> >> Also - I usually refer to this link that has the different CoA pcaps >> captured from a cisco perspective: >> >> https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing >> >> <https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing> >> >> Source - >> https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ >> >> <https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/> >> >> Thanks >> Abhi >> >> >> >> On Apr 17, 2020, at 8:07 AM, Turner, Ryan H > <mailto:rhtur...@email.unc.edu>> wrote: >> >> >> Thank you Felix. We do have this attribute present. Let me see if I can >> get it removed. >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt >> Sent: Friday, April 17, 2020 9:52 AM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >>
Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
Care to share a link to the doc? > On Apr 17, 2020, at 10:13 AM, Turner, Ryan H wrote: > > I really think Felix hit the nail on the head. I found the documentation > with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) > is NOT a supported option. We are getting NAKs back stating that we are > sending an ‘Unsupported Attribute’. I am asking Extreme how to strip 55 out > of the CoA. In the meantime, I have also asked the other institution to look > at their configs and validate 3799. > > Ryan > > From: The EDUCAUSE Wireless Issues Community Group Listserv > On Behalf Of Curtis K. Larsen > Sent: Friday, April 17, 2020 12:03 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change > of Authorization) > > We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Turner, Ryan H > > Sent: Friday, April 17, 2020 10:01 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change > of Authorization) > > I reversed that. The standard is 3799, and I know Cisco tends to use 1700. > But I see plenty of documentation on 3799 for Cisco. I’ll confirm. > > From: Turner, Ryan H > Sent: Friday, April 17, 2020 12:00 PM > To: The EDUCAUSE Wireless Issues Community Group Listserv > > Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change > of Authorization) > > So apparently that changed. If you search on Cisco, you will note that they > seemed to go away from the default port. I do not think we would be getting > a properly formatted NAK if we were sending to the wrong port. But I am > going to ask the other institution to validate that. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms > Sent: Friday, April 17, 2020 11:25 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change > of Authorization) > > Ryan, > > Have you tried UDP port 1700. > As far as I can remember, the default port when adding a radius client for a > cisco device was 1700. > > Also - I usually refer to this link that has the different CoA pcaps captured > from a cisco perspective: > > https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing > > <https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing> > > Source - > https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ > <https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/> > > Thanks > Abhi > > > > On Apr 17, 2020, at 8:07 AM, Turner, Ryan H <mailto:rhtur...@email.unc.edu>> wrote: > > > Thank you Felix. We do have this attribute present. Let me see if I can get > it removed. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt > Sent: Friday, April 17, 2020 9:52 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change > of Authorization) > > This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking > CoAs when the Event-Timestamp attribute was present. > > thx, > felix > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Turner, Ryan H" > mailto:rhtur...@email.unc.edu>> > Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Date: Friday, April 17, 2020 at 9:26 AM > To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of > Authorization) > > We currently use Extreme Network Access Control. We have had this for 14 > years and it works very well. We integrated it with Aruba wireless years > ago, and we are able to send back filter IDs on the initial authentication to > change roles, as well as issue disconnects to the user, forcing them to > reauthenticate to their new policy (for example,
Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
If someone could please do a packet capture of a reauthenticatjon and give me the Radius part with the AVP pairs, this would really help. Ryan Turner Head of Networking, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office On Apr 17, 2020, at 12:13 PM, Turner, Ryan H wrote: I really think Felix hit the nail on the head. I found the documentation with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) is NOT a supported option. We are getting NAKs back stating that we are sending an ‘Unsupported Attribute’. I am asking Extreme how to strip 55 out of the CoA. In the meantime, I have also asked the other institution to look at their configs and validate 3799. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Curtis K. Larsen Sent: Friday, April 17, 2020 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Turner, Ryan H Sent: Friday, April 17, 2020 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) I reversed that. The standard is 3799, and I know Cisco tends to use 1700. But I see plenty of documentation on 3799 for Cisco. I’ll confirm. From: Turner, Ryan H Sent: Friday, April 17, 2020 12:00 PM To: The EDUCAUSE Wireless Issues Community Group Listserv Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) So apparently that changed. If you search on Cisco, you will note that they seemed to go away from the default port. I do not think we would be getting a properly formatted NAK if we were sending to the wrong port. But I am going to ask the other institution to validate that. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms Sent: Friday, April 17, 2020 11:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700. Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective: https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing Source - https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ Thanks Abhi On Apr 17, 2020, at 8:07 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: Thank you Felix. We do have this attribute present. Let me see if I can get it removed. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt Sent: Friday, April 17, 2020 9:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking CoAs when the Event-Timestamp attribute was present. thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Turner, Ryan H" mailto:rhtur...@email.unc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, April 17, 2020 at 9:26 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We currently use Extreme Network Access Control. We have had this for 14 years and it works very well. We integrated it with Aruba wireless years ago, and we are able to send back filter IDs on the initial authentication to change roles, as well as issue disconnects to the user, forcing them to reauthenticate to their new policy (for example, a user is online and doing something bad, we send a disconnect message to the controllers and the user reconnects and authenticates with the new role). We are now having to integrate with another institutions Cisco wireless controllers. We have the authentication stuff working great. But we are unable to get the disconnect/CoA to work. We believe we have the correct format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I think it is UDP 3799 off the to
RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
I really think Felix hit the nail on the head. I found the documentation with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) is NOT a supported option. We are getting NAKs back stating that we are sending an ‘Unsupported Attribute’. I am asking Extreme how to strip 55 out of the CoA. In the meantime, I have also asked the other institution to look at their configs and validate 3799. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Curtis K. Larsen Sent: Friday, April 17, 2020 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Turner, Ryan H Sent: Friday, April 17, 2020 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) I reversed that. The standard is 3799, and I know Cisco tends to use 1700. But I see plenty of documentation on 3799 for Cisco. I’ll confirm. From: Turner, Ryan H Sent: Friday, April 17, 2020 12:00 PM To: The EDUCAUSE Wireless Issues Community Group Listserv Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) So apparently that changed. If you search on Cisco, you will note that they seemed to go away from the default port. I do not think we would be getting a properly formatted NAK if we were sending to the wrong port. But I am going to ask the other institution to validate that. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms Sent: Friday, April 17, 2020 11:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700. Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective: https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing Source - https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ Thanks Abhi On Apr 17, 2020, at 8:07 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: Thank you Felix. We do have this attribute present. Let me see if I can get it removed. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt Sent: Friday, April 17, 2020 9:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking CoAs when the Event-Timestamp attribute was present. thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Turner, Ryan H" mailto:rhtur...@email.unc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, April 17, 2020 at 9:26 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We currently use Extreme Network Access Control. We have had this for 14 years and it works very well. We integrated it with Aruba wireless years ago, and we are able to send back filter IDs on the initial authentication to change roles, as well as issue disconnects to the user, forcing them to reauthenticate to their new policy (for example, a user is online and doing something bad, we send a disconnect message to the controllers and the user reconnects and authenticates with the new role). We are now having to integrate with another institutions Cisco wireless controllers. We have the authentication stuff working great. But we are unable to get the disconnect/CoA to work. We believe we have the correct format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I think it is UDP 3799 off the top of my head). We are getting back NAKs, and the message indicated is ‘invalid attributes’. We aren’t sure what attributes to send back for the disconnect. Obviously the other third party NACs have to do this correctly, but I’ve been unable to find documentation. Extreme has some old documentation, but it appears wrong
Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Turner, Ryan H Sent: Friday, April 17, 2020 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) I reversed that. The standard is 3799, and I know Cisco tends to use 1700. But I see plenty of documentation on 3799 for Cisco. I’ll confirm. From: Turner, Ryan H Sent: Friday, April 17, 2020 12:00 PM To: The EDUCAUSE Wireless Issues Community Group Listserv Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) So apparently that changed. If you search on Cisco, you will note that they seemed to go away from the default port. I do not think we would be getting a properly formatted NAK if we were sending to the wrong port. But I am going to ask the other institution to validate that. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms Sent: Friday, April 17, 2020 11:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700. Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective: https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing Source - https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ Thanks Abhi On Apr 17, 2020, at 8:07 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: Thank you Felix. We do have this attribute present. Let me see if I can get it removed. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt Sent: Friday, April 17, 2020 9:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking CoAs when the Event-Timestamp attribute was present. thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Turner, Ryan H" mailto:rhtur...@email.unc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, April 17, 2020 at 9:26 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We currently use Extreme Network Access Control. We have had this for 14 years and it works very well. We integrated it with Aruba wireless years ago, and we are able to send back filter IDs on the initial authentication to change roles, as well as issue disconnects to the user, forcing them to reauthenticate to their new policy (for example, a user is online and doing something bad, we send a disconnect message to the controllers and the user reconnects and authenticates with the new role). We are now having to integrate with another institutions Cisco wireless controllers. We have the authentication stuff working great. But we are unable to get the disconnect/CoA to work. We believe we have the correct format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I think it is UDP 3799 off the top of my head). We are getting back NAKs, and the message indicated is ‘invalid attributes’. We aren’t sure what attributes to send back for the disconnect. Obviously the other third party NACs have to do this correctly, but I’ve been unable to find documentation. Extreme has some old documentation, but it appears wrong. Any experts out there on this? Anyone willing to do a reauthentication from their NAC to their controllers and send us the packet trace? If we know what attributes you are sending, that is likely what we need to make this work. I’ve opened a ticket to Extreme, and I’ve asked the other institution to open a ticket with Cisco. But this may get me results quicker. Thanks! Ryan Turner Head of Networking Communication Technologies | Information Technology Services r...@unc.edu<mailto:r...@unc.edu> +1 919 445 0113 (Office) +1 919 274 7926 (Mobile) ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want
RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
So apparently that changed. If you search on Cisco, you will note that they seemed to go away from the default port. I do not think we would be getting a properly formatted NAK if we were sending to the wrong port. But I am going to ask the other institution to validate that. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Abhiramms Sent: Friday, April 17, 2020 11:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700. Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective: https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing Source - https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ Thanks Abhi On Apr 17, 2020, at 8:07 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: Thank you Felix. We do have this attribute present. Let me see if I can get it removed. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt Sent: Friday, April 17, 2020 9:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking CoAs when the Event-Timestamp attribute was present. thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Turner, Ryan H" mailto:rhtur...@email.unc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, April 17, 2020 at 9:26 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We currently use Extreme Network Access Control. We have had this for 14 years and it works very well. We integrated it with Aruba wireless years ago, and we are able to send back filter IDs on the initial authentication to change roles, as well as issue disconnects to the user, forcing them to reauthenticate to their new policy (for example, a user is online and doing something bad, we send a disconnect message to the controllers and the user reconnects and authenticates with the new role). We are now having to integrate with another institutions Cisco wireless controllers. We have the authentication stuff working great. But we are unable to get the disconnect/CoA to work. We believe we have the correct format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I think it is UDP 3799 off the top of my head). We are getting back NAKs, and the message indicated is ‘invalid attributes’. We aren’t sure what attributes to send back for the disconnect. Obviously the other third party NACs have to do this correctly, but I’ve been unable to find documentation. Extreme has some old documentation, but it appears wrong. Any experts out there on this? Anyone willing to do a reauthentication from their NAC to their controllers and send us the packet trace? If we know what attributes you are sending, that is likely what we need to make this work. I’ve opened a ticket to Extreme, and I’ve asked the other institution to open a ticket with Cisco. But this may get me results quicker. Thanks! Ryan Turner Head of Networking Communication Technologies | Information Technology Services r...@unc.edu<mailto:r...@unc.edu> +1 919 445 0113 (Office) +1 919 274 7926 (Mobile) ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Cfelix.windt%40DARTMOUTH.EDU%7Cc9e908903f6e46cf822108d7e2d2f0fb%7C995b093648d640e5a31ebf689ec9446f%7C0%7C0%7C637227267926747319=WnCm87U42oIY9FHU8F3T0OteowYT3ihSRQQd9h92%2F5Y%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails
RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
I reversed that. The standard is 3799, and I know Cisco tends to use 1700. But I see plenty of documentation on 3799 for Cisco. I’ll confirm. From: Turner, Ryan H Sent: Friday, April 17, 2020 12:00 PM To: The EDUCAUSE Wireless Issues Community Group Listserv Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) So apparently that changed. If you search on Cisco, you will note that they seemed to go away from the default port. I do not think we would be getting a properly formatted NAK if we were sending to the wrong port. But I am going to ask the other institution to validate that. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Abhiramms Sent: Friday, April 17, 2020 11:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700. Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective: https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing Source - https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ Thanks Abhi On Apr 17, 2020, at 8:07 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: Thank you Felix. We do have this attribute present. Let me see if I can get it removed. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Felix Windt Sent: Friday, April 17, 2020 9:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking CoAs when the Event-Timestamp attribute was present. thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Turner, Ryan H" mailto:rhtur...@email.unc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, April 17, 2020 at 9:26 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We currently use Extreme Network Access Control. We have had this for 14 years and it works very well. We integrated it with Aruba wireless years ago, and we are able to send back filter IDs on the initial authentication to change roles, as well as issue disconnects to the user, forcing them to reauthenticate to their new policy (for example, a user is online and doing something bad, we send a disconnect message to the controllers and the user reconnects and authenticates with the new role). We are now having to integrate with another institutions Cisco wireless controllers. We have the authentication stuff working great. But we are unable to get the disconnect/CoA to work. We believe we have the correct format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I think it is UDP 3799 off the top of my head). We are getting back NAKs, and the message indicated is ‘invalid attributes’. We aren’t sure what attributes to send back for the disconnect. Obviously the other third party NACs have to do this correctly, but I’ve been unable to find documentation. Extreme has some old documentation, but it appears wrong. Any experts out there on this? Anyone willing to do a reauthentication from their NAC to their controllers and send us the packet trace? If we know what attributes you are sending, that is likely what we need to make this work. I’ve opened a ticket to Extreme, and I’ve asked the other institution to open a ticket with Cisco. But this may get me results quicker. Thanks! Ryan Turner Head of Networking Communication Technologies | Information Technology Services r...@unc.edu<mailto:r...@unc.edu> +1 919 445 0113 (Office) +1 919 274 7926 (Mobile) ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Cfelix.windt%40DARTMOUTH.EDU%7Cc9e908903f6e46cf822108d7e2d2f0fb%7C995b093648d640e5a31ebf6
Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700. Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective: https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing Source - https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ Thanks Abhi > On Apr 17, 2020, at 8:07 AM, Turner, Ryan H wrote: > > > Thank you Felix. We do have this attribute present. Let me see if I can get > it removed. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > On Behalf Of Felix Windt > Sent: Friday, April 17, 2020 9:52 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change > of Authorization) > > This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking > CoAs when the Event-Timestamp attribute was present. > > thx, > felix > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of "Turner, Ryan H" > > Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv > > Date: Friday, April 17, 2020 at 9:26 AM > To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" > Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of > Authorization) > > We currently use Extreme Network Access Control. We have had this for 14 > years and it works very well. We integrated it with Aruba wireless years > ago, and we are able to send back filter IDs on the initial authentication to > change roles, as well as issue disconnects to the user, forcing them to > reauthenticate to their new policy (for example, a user is online and doing > something bad, we send a disconnect message to the controllers and the user > reconnects and authenticates with the new role). > > We are now having to integrate with another institutions Cisco wireless > controllers. We have the authentication stuff working great. But we are > unable to get the disconnect/CoA to work. We believe we have the correct > format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I > think it is UDP 3799 off the top of my head). We are getting back NAKs, and > the message indicated is ‘invalid attributes’. We aren’t sure what > attributes to send back for the disconnect. Obviously the other third party > NACs have to do this correctly, but I’ve been unable to find documentation. > Extreme has some old documentation, but it appears wrong. Any experts out > there on this? Anyone willing to do a reauthentication from their NAC to > their controllers and send us the packet trace? If we know what attributes > you are sending, that is likely what we need to make this work. > > I’ve opened a ticket to Extreme, and I’ve asked the other institution to open > a ticket with Cisco. But this may get me results quicker. > > Thanks! > > Ryan Turner > Head of Networking > Communication Technologies | Information Technology Services > r...@unc.edu > +1 919 445 0113 (Office) > +1 919 274 7926 (Mobile) > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
Thank you Felix. We do have this attribute present. Let me see if I can get it removed. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Felix Windt Sent: Friday, April 17, 2020 9:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking CoAs when the Event-Timestamp attribute was present. thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Turner, Ryan H" mailto:rhtur...@email.unc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, April 17, 2020 at 9:26 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We currently use Extreme Network Access Control. We have had this for 14 years and it works very well. We integrated it with Aruba wireless years ago, and we are able to send back filter IDs on the initial authentication to change roles, as well as issue disconnects to the user, forcing them to reauthenticate to their new policy (for example, a user is online and doing something bad, we send a disconnect message to the controllers and the user reconnects and authenticates with the new role). We are now having to integrate with another institutions Cisco wireless controllers. We have the authentication stuff working great. But we are unable to get the disconnect/CoA to work. We believe we have the correct format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I think it is UDP 3799 off the top of my head). We are getting back NAKs, and the message indicated is ‘invalid attributes’. We aren’t sure what attributes to send back for the disconnect. Obviously the other third party NACs have to do this correctly, but I’ve been unable to find documentation. Extreme has some old documentation, but it appears wrong. Any experts out there on this? Anyone willing to do a reauthentication from their NAC to their controllers and send us the packet trace? If we know what attributes you are sending, that is likely what we need to make this work. I’ve opened a ticket to Extreme, and I’ve asked the other institution to open a ticket with Cisco. But this may get me results quicker. Thanks! Ryan Turner Head of Networking Communication Technologies | Information Technology Services r...@unc.edu<mailto:r...@unc.edu> +1 919 445 0113 (Office) +1 919 274 7926 (Mobile) ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Cfelix.windt%40DARTMOUTH.EDU%7Cc9e908903f6e46cf822108d7e2d2f0fb%7C995b093648d640e5a31ebf689ec9446f%7C0%7C0%7C637227267926747319=WnCm87U42oIY9FHU8F3T0OteowYT3ihSRQQd9h92%2F5Y%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)
This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking CoAs when the Event-Timestamp attribute was present. thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of "Turner, Ryan H" Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Friday, April 17, 2020 at 9:26 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) We currently use Extreme Network Access Control. We have had this for 14 years and it works very well. We integrated it with Aruba wireless years ago, and we are able to send back filter IDs on the initial authentication to change roles, as well as issue disconnects to the user, forcing them to reauthenticate to their new policy (for example, a user is online and doing something bad, we send a disconnect message to the controllers and the user reconnects and authenticates with the new role). We are now having to integrate with another institutions Cisco wireless controllers. We have the authentication stuff working great. But we are unable to get the disconnect/CoA to work. We believe we have the correct format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I think it is UDP 3799 off the top of my head). We are getting back NAKs, and the message indicated is ‘invalid attributes’. We aren’t sure what attributes to send back for the disconnect. Obviously the other third party NACs have to do this correctly, but I’ve been unable to find documentation. Extreme has some old documentation, but it appears wrong. Any experts out there on this? Anyone willing to do a reauthentication from their NAC to their controllers and send us the packet trace? If we know what attributes you are sending, that is likely what we need to make this work. I’ve opened a ticket to Extreme, and I’ve asked the other institution to open a ticket with Cisco. But this may get me results quicker. Thanks! Ryan Turner Head of Networking Communication Technologies | Information Technology Services r...@unc.edu<mailto:r...@unc.edu> +1 919 445 0113 (Office) +1 919 274 7926 (Mobile) ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Cfelix.windt%40DARTMOUTH.EDU%7Cc9e908903f6e46cf822108d7e2d2f0fb%7C995b093648d640e5a31ebf689ec9446f%7C0%7C0%7C637227267926747319=WnCm87U42oIY9FHU8F3T0OteowYT3ihSRQQd9h92%2F5Y%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community