RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Turner, Ryan H
So apparently that changed. If you search on Cisco, you will note that they seemed to go away from the default port. I do not think we would be getting a properly formatted NAK if we were sending to the wrong port. But I am going to ask the other institution to validate that. From: The

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Turner, Ryan H
I reversed that. The standard is 3799, and I know Cisco tends to use 1700. But I see plenty of documentation on 3799 for Cisco. I’ll confirm. From: Turner, Ryan H Sent: Friday, April 17, 2020 12:00 PM To: The EDUCAUSE Wireless Issues Community Group Listserv Subject: RE: [WIRELESS-LAN]

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Turner, Ryan H
I really think Felix hit the nail on the head. I found the documentation with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) is NOT a supported option. We are getting NAKs back stating that we are sending an ‘Unsupported Attribute’. I am asking Extreme how to strip 55

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Curtis K. Larsen
We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Turner, Ryan H Sent: Friday, April 17, 2020 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re:

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Jake Snyder
Care to share a link to the doc? > On Apr 17, 2020, at 10:13 AM, Turner, Ryan H wrote: > > I really think Felix hit the nail on the head. I found the documentation > with the supported attributes for CoA and Cisco. Type 55 (Event-Timestamp) > is NOT a supported option. We are getting NAKs

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Turner, Ryan H
Thank you!. You are getting ACKs on both, and the ‘Disconnect’ that matches what we are doing omits the Time Stamp AVP. The Coa-Reauth has has time time stamp. I am a little confused. Did the first or second fail? From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Turner, Ryan H
So I think we’ve refined the problem to two methods. Method one is a Radius-Disconnect. It does not appear that AVP type 55 is supported with that method. Method two is a CoA-Reauth. Looking at packet captures provided to me from ISE, it does appear that AVP type 55 is expected for that form.

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Turner, Ryan H
If someone could please do a packet capture of a reauthenticatjon and give me the Radius part with the AVP pairs, this would really help. Ryan Turner Head of Networking, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office On Apr 17, 2020, at 12:13

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Jake Snyder
Here are some PCAPs for you folks. https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0 One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My Reauth from CPPM failed). Also, if

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Turner, Ryan H
Thank you Felix. We do have this attribute present. Let me see if I can get it removed. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Felix Windt Sent: Friday, April 17, 2020 9:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Abhiramms
Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700. Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective:

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Jake Snyder
I uploaded the failed Reauth from CPPM along with the debug from the controller to that folder if you want to see what the output was. The WLC tells you what it likes/disliked. > On Apr 17, 2020, at 11:49 AM, Jake Snyder wrote: > > Both of those worked. Both received ACKs from the WLC. >

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Turner, Ryan H
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3se/5700/sec-usr-aaa-xe-3se-5700-book/sec-rad-coa.html From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jake Snyder Sent: Friday, April 17, 2020 1:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Turner, Ryan H
Thank you!! From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jake Snyder Sent: Friday, April 17, 2020 1:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization) Here are some PCAPs for

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Jake Snyder
Both of those worked. Both received ACKs from the WLC. > On Apr 17, 2020, at 11:38 AM, Turner, Ryan H wrote: > > Thank you!. You are getting ACKs on both, and the ‘Disconnect’ that matches > what we are doing omits the Time Stamp AVP. The Coa-Reauth has has time time > stamp. I am a

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Turner, Ryan H
I misunderstood your second part. Thank you very much. I think we have the problem sufficiently narrowed… I love getting deep into RADIUS stuff. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jake Snyder Sent: Friday, April 17, 2020 1:50 PM To:

Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Turner, Ryan H
We currently use Extreme Network Access Control. We have had this for 14 years and it works very well. We integrated it with Aruba wireless years ago, and we are able to send back filter IDs on the initial authentication to change roles, as well as issue disconnects to the user, forcing them

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

2020-04-17 Thread Felix Windt
This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking CoAs when the Event-Timestamp attribute was present. thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of "Turner, Ryan H" Reply-To: The EDUCAUSE Wireless Issues Community Group

Re: [WIRELESS-LAN] Doodle Poll Results for Virtual Session - Covid-19 Response -> Friday April 17 (3 pm Easter, 12 pm Pacific)

2020-04-17 Thread Kenny, Eric
Hi WIRELESS-LAN, Big thanks to Mike Ferguson for helping put all of this together. For this afternoon’s virtual meetup, we’ve prepared an Agenda, which you’ll see is pretty informal as most of what we discuss will be based on the flow of conversation:

why 2802E APs slot 0 interface goes down intermittently

2020-04-17 Thread Will Dawes
We have almost 100 Cisco model 2802E APs in production, and (having some spare time) looked further as to why, every couple of months, we’d notice that a 5Ghz interface was down, and, we would have to reboot each AP, to get the slot 0 interface back up. Note that this AP has a dual 5Ghz