Re: [PacketFence-users] ArubaOS - Deauth

[John S. <js...@as...>]

Is there a way to send the Radius CoA to the AP from the cli to check it’s being sent?  Or is there a way to set this up in packetfence that I’ve missed?  I can see that it’s possible to send a request from the CLI with free radius, but I’m unsure of how to find the session ID.

I ran a port scan on the Aps but there’s no top ports open.  I appreciate radius uses UDP but a management interface would be useful for troubleshooting.  Not having the ability to disconnect the client from the controller was fairly telling.  But as I can’t connect to an AP I’m not sure how to proceed.

It may also be possible if the access points are configured to run without a controller, I believe this is called “Aruba Instant” but I’m unsure of what other implications this would have for the rest of the setup.

We have a HP wireless product but I think it works to the other way round.  The requests come from the APs but the disconnect message is sent to the controller.


From: Durand fabrice via PacketFence-users [mailto:pac...@li...]
Sent: 22 February 2019 02:43
To: pac...@li...
Cc: Durand fabrice <fd...@in...>
Subject: Re: [PacketFence-users] ArubaOS - Deauth


And what about if the CoA is sent to the AP ?
Le 19-02-21 à 10 h 57, John Sayce via PacketFence-users a écrit :
It seems that the Aruba controllers can’t disconnect users if the SSID is using bridge mode.  This applies both to disconnects sent from an external radius server or simply entering the command from the controller.  This article states this

https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-are-the-forward-modes-supported-in-Radius-CoA/ta-p/234164

Personally I think this is poor, I’m not sure why people want to tunnel traffic through the controller, but if I have to then I guess it’ll do.


From: Chris Burrell [mailto:chr...@vo...]
Sent: 04 February 2019 15:09
To: pac...@li...<mailto:pac...@li...>
Cc: John Sayce <js...@as...><mailto:js...@as...>
Subject: Re: [PacketFence-users] ArubaOS - Deauth


Hi John

I currently have this working with similar. MM, 3 X 7200 controllers and PF.

Do you have a Mobility Master Setup?
Do not use COA in PF for Disconnect. Use Radius instead. And Aruba 200 controller template.
Make sure you sending back the correct spelling for the roles from PF to Controllers for RFC 3576. Case Sensitive.
RFC 3576 – for MM – System/ profiles/Wireless LAN / RFC 3576

Let me know more around your setup and will assist where I can.

Thanks


Chris Burrell

Head of Network at Vox

________________________________

T:  087 805 0000 | D: 087 805 1588
M: 083 333 8414 | F:  087 805 5500
E: chr...@vo...<mailto:chr...@vo...>
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
www.vox.co.za<http://www.vox.co.za>


[F]<https://www.facebook.com/voxtelecomZA>



[T]<https://www.twitter.com/voxtelecom>



[I]<https://www.instagram.com/voxtelecomza/>



[L]<https://www.linkedin.com/company/voxtelecom>



[Y]<https://www.youtube.com/user/VoxTelecom>






[#VoxConnected]<http://bit.ly/2Dgr5fo>


Disclaimer

The contents of this email are confidential to the sender and the intended recipient. Unless the contents are clearly and entirely of a personal nature, they are subject to copyright in favour of the holding company of the Vox group of companies. Any recipient who receives this email in error should immediately report the error to the sender and permanently delete this email from all storage devices.

This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more Click Here<https://www.voxtelecom.co.za/security/mimecast/?prod=Enterprise>.

From: John Sayce via PacketFence-users <pac...@li...<mailto:pac...@li...>>
Reply-To: "pac...@li...<mailto:pac...@li...>" <pac...@li...<mailto:pac...@li...>>
Date: Monday, 04 February 2019 at 15:38
To: "'pac...@li...'"<mailto:'pac...@li...'> <pac...@li...<mailto:pac...@li...>>
Cc: John Sayce <js...@as...<mailto:js...@as...>>
Subject: [PacketFence-users] ArubaOS - Deauth

I've got an existing setup that works fine using a HP MSM 720. This works using SNMP for the deauthentication method.

I'm now trying to get the same setup from an Aruba 7200 controller that's running Aruba OS 8.4.

I can join a wireless network and vlans are dynamically assigned. However, I believe the registration process needs to deauthorise the client so they can re-authenticate and get assigned to a vlan with the appropriate access. Packetfence appears to use radius for this no matter what is set in the de-authentication method for the device and I believe this then requires configuration of an "RFC3576" server based on the instructions. This bit is new to me so I'm not overly familiar with this.

Nothing I do seems to deauthorise the client. In fact I can't even find a way to achieve this on the CLI of the controller. The packetfence pfqueue log has the following:

Feb 04 09:56:40 pfqueue(20025) WARN: [mac:40:a3:cc:67:1b:91] Unable to perform RADIUS Disconnect-Request. Disconnect-NAK received with Error-Cause: Session-Context-Not-Found. (pf::Switch::Aruba::radiusDisconnect

I've also run debugging on the controller which has yielded the following:

Feb 1 16:00:39 :520001: <4709> <DBUG> |authmgr| [rc_rfc3576.c:1256] IP:0.0.0.0, Name:(null) sessid=40:a3:cc40A3CC671B91-5C5469DD-70FD3, sta_id=40-A3-CC-67-1B-91, reqcode=40, rspcode=42, nack=1, error_cause=missing session

This led me to this article: https://community.arubanetworks.com/t5/Controller-Based-WLANs/Possible-reasons-for-controller-sending-a-Disconnect-NAK/ta-p/272242

It suggests the issue in the example is the formatting of the MAC address, however I've modified the following section of code in the Aruba.pm<http://Aruba.pm> file to present the MAC in every way I can think and this doesn't resolve the issues

# transforming MAC to the expected format 00-11-22-33-CA-FE
$mac = uc($mac);
$mac =~ s/:/-/g;

# Standard Attributes
my $attributes_ref = {
'Calling-Station-Id' => $mac,
'NAS-IP-Address' => $send_disconnect_to,
'Acct-Session-Id' => $acctsessionid,
};

Wireshark packet captures confirm the formatting of the MAC address changes with the modification of the code.

I've also tried all combinations of the MAC Delimiter field on the controller.

The article I posted above however talks of requiring four attributes: username, framed-ip-address, calling-station-id and accounting-session-id. I can't see the username attribute in either the code or the packet capture so I'm wondering if this is a requirement that changed between Aruba OS 6.0 which the manual references and this article which is Aruba OS 6.2. Not sure if this is the issue or whether I've missed something. It may be that this attribute is optional.

There's the possibility I'm running into a license issue on the Aruba controller. The documentation talks of setting up roles on the controller and using an external portal. I can't do this because we haven't got a "PEF" license for the controller. So rather than using the roles I'm sticking with assigning VLANs which works okay. The MAC authentication may simply be limited to authorisation and vlan assignment, but when all I need to do is deauthorise the client I feel I'm pretty close to getting things working. Althoguh I'd feel more confident if I'd found a way to deauthorise a client from the CLI of the controller.

The manual suggests I can't use Radius COA unless the forwarding mode is set to "Tunnel" or "Decrypt-Tunnel". I am using "Bridge" as the forwarding mode but I'm only looking to use "Disconnect-Request" code to disconnect the client which I believe is different. I can't see anything else that suggests there is a licensing issue in the manual but I may be mistaken.

I'm not really sure if I need to speak to Aruba support but any relevant information would be useful.

Thanks
John Sayce

_______________________________________________
PacketFence-users mailing list
Pac...@li...<mailto:Pac...@li...>
https://lists.sourceforge.net/lists/listinfo/packetfence-users







_______________________________________________

PacketFence-users mailing list

Pac...@li...<mailto:Pac...@li...>

https://lists.sourceforge.net/lists/listinfo/packetfence-users