Coa to public ip

  • 1
  • Question
  • Updated 3 years ago
Maybe a weird question :-D. I'm trying to make a guestmanager with cwp and an external radius server. Everything works fine if everything is on the same network (radius server and Aerohive Access points). But it would be great if it also works if the radius server and the access points are on different networks. For the moment the authentication works fine in this situation but the COA (packet of disconnection) is not working. If I forward port udp 3799 to one ap, the disconnection works on that ap but not on the other ap's.

I also tried to configure one ap as proxy and forward the udp 3799 port to this ap. But this isn't working. I think because the option "Permit Dynamic Change of Authorization Messages (RFC 3576) " is not supported by RADIUS Proxy.

I also tried this situation with Aruba instant and If I use the virtual management ip in combination with "Dynamic Radius Proxy" enabled this works perfectly.
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
What do you mean by public IP in this context? You must ultimately send the CoA request packet on to an AP's management IP address.

I suspect that you need to run HiveOS 6.6r1 or later for CoA to work properly.

You ought to reference the session via the Acct-Multi-Session-Id and not the Acct-Session-Id.

The Acct-Multi-Session-Id is the session id that is globally unique among all APs, present for all related sessions that share/relate to the same, original EAP authentication and is required in roaming scenarios. (When 802.1X re-authentication occurs, another EAP authentication takes place but it is still related.)

Acct-Session-Ids are BSS, and therefore AP/NAS, specific, there is therefore a race condition with roaming from one BSS to another otherwise if you reference by this.

Support for referencing a session via the Acct-Multi-Session-Id was added in HiveOS 6.6r1. This is mentioned in the release notes. It is one of the deficiencies that I found and raised during the beta process for HiveOS 6.4r1.

FreeRADIUS can proxy CoA, but it is draft and not standards based behaviour.

The following draft is an interesting read in this area:

https://tools.ietf.org/html/draft-dekok-radext-coa-proxy-00

You also ought to be aware that there is a bug in HiveOS 6.6r1 where the Acct-Multi-Session-Id is intermittently missing for some sessions in HiveOS. Show in a screenshot from Wireshark. The left hand side shows the attribute missing, the right shows it present as expected:


I am pushing to get this one resolved in a future HiveOS release.
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Actually, re-reading your question, you are almost certainly referencing sessions via the Calling-Station-Id which is available from auth, the client's MAC address, and not a session id.

(HiveOS, as with most devices, does not include an Acct-Session-Id in the Access-Request packets that it sends so without subsequent accounting information you struggle to know what this is.)

It slipped my mind that HiveOS does not yet perform RADIUS accounting for CWP-based access so you'd not easily be privy to an Acct-Session-Id or Acct-Multi-Session-Id...

My answer is likely off on a tangent therefore, oops! :) *grin*

A clarification also... Acct-Session-Ids are BSS specific in-so-far as a client gets a new one when it roams from one BSS to another. They are, by spec, scoped to the AP (NAS) however.
(Edited)
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
Hi Nick for the moment we are running 6.5r1. I'll try to upgrade this as soon as possible but our Hivemanager says he is up to date if we check this with help (we have our own on premise Hivemanager)

How can I send a coa to an access points management ip address if the radius server and the access point are not in the same network? (there is no vpn connection or other connection between the sites only the internet :-D) If we can make this work everything can be managed in the cloud and no additional hardware needs to be added to Site B or other sites we add later.

So my situation:
On Site A my Radius server is running.
Internal ip: 192.168.1.3
External ip (example): 88.88.88.88
Nas ip: 88.88.88.70

On Site B my access points are running.
Internal ip's: 10.10.120.10-10.10.120.30
External ip (example): 88.88.88.70
Firewall:
  • For aruba i forwarded the port udp 3799 to the virtual management ip (= working)
  • For Aerohive it only works for one ap (ap configured as proxy is not working)

What is working:
  • CWP is displaying web page that run on Site A
  • Users can connect on Site B with users created on Site A

What is not working:
  • Coa is not working for Aerohive
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I think that you are misunderstanding what CoA is. CoA does work with Aerohive.

CoA terminates or changes the operational parameters of sessions that are referenced at a NAS which the NAS therefore has to be privy to. That is not, by some magic, all of the sessions that incidentally happen to have the same User-Name in multiple, independent sites.

Sessions are typically referenced via the Acct-Session-Id or the Acct-Multi-Session-Id.

There is no dependency on or use of HiveManager in any way here. A feature as you expect/describe abstractly and conceptually would have to relay/proxy through HiveManager which is definitely not the Aerohive way.

Such a feature, again abstractly and conceptually, could not work properly (reliably/securely) anyway due to anonymous EAP outer identities, otherwise known as identity privacy.

Does this makes sense? :)
(Edited)
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
Nick I know CoA Works with aerohive because the disconnection works perfectly if my radius server is on the same network as my ap's. But in the situation I described in my previous post I can't get it to work.

So what's my problem: My Radius program send a coa request to external public ip of Site B. But my firewall doesn't know what to do with this packet. With  Aruba instant I can forward this packet (udp 3799) to the virtual controller ip address and this will do the disconnection (no matter on which ap the guest is connected on the network). But for Aerohive I don't have something as a virtual controller or a controller. I was hoping I could send it to a Aerohive ap configured as proxy.

Do you understand what I want to achieve?

Thanks a lot for the support so far and I will read the documentation of the link you provided me.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
My suggestion is to use a VPN, RADIUS traffic shouldn't ever go over the public internet unencrypted, and to use NAT with port forwarding if and where you need to.
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
Thanks for the support.
Photo of Roberto Minotti

Roberto Minotti, Employee

  • 51 Posts
  • 5 Reply Likes
I had a similar request from one of my partner and I suggested to setup the VPN from the AP to the farm where the radius server resides (so, using private IP). Of course you need to tunnel just radius request/response, not all the traffic. This can easily help you to use CoA.

It works.
Ciao, Roberto