Ryan, Have you tried UDP port 1700. As far as I can remember, the default port when adding a radius client for a cisco device was 1700.
Also - I usually refer to this link that has the different CoA pcaps captured from a cisco perspective: https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing Source - https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/ Thanks Abhi > On Apr 17, 2020, at 8:07 AM, Turner, Ryan H <rhtur...@email.unc.edu> wrote: > > > Thank you Felix. We do have this attribute present. Let me see if I can get > it removed. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Felix Windt > Sent: Friday, April 17, 2020 9:52 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change > of Authorization) > > This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking > CoAs when the Event-Timestamp attribute was present. > > thx, > felix > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Turner, Ryan H" > <rhtur...@email.unc.edu> > Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Date: Friday, April 17, 2020 at 9:26 AM > To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of > Authorization) > > We currently use Extreme Network Access Control. We have had this for 14 > years and it works very well. We integrated it with Aruba wireless years > ago, and we are able to send back filter IDs on the initial authentication to > change roles, as well as issue disconnects to the user, forcing them to > reauthenticate to their new policy (for example, a user is online and doing > something bad, we send a disconnect message to the controllers and the user > reconnects and authenticates with the new role). > > We are now having to integrate with another institutions Cisco wireless > controllers. We have the authentication stuff working great. But we are > unable to get the disconnect/CoA to work. We believe we have the correct > format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I > think it is UDP 3799 off the top of my head). We are getting back NAKs, and > the message indicated is ‘invalid attributes’. We aren’t sure what > attributes to send back for the disconnect. Obviously the other third party > NACs have to do this correctly, but I’ve been unable to find documentation. > Extreme has some old documentation, but it appears wrong. Any experts out > there on this? Anyone willing to do a reauthentication from their NAC to > their controllers and send us the packet trace? If we know what attributes > you are sending, that is likely what we need to make this work. > > I’ve opened a ticket to Extreme, and I’ve asked the other institution to open > a ticket with Cisco. But this may get me results quicker. > > Thanks! > > Ryan Turner > Head of Networking > Communication Technologies | Information Technology Services > r...@unc.edu > +1 919 445 0113 (Office) > +1 919 274 7926 (Mobile) > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
