Open effertzdv opened 3 years ago
Hello @effertzdv,
Thanks for your report.
When I created Aruba Switch NG switch template, tested on Aruba 2530 with Aruba OS 16.10, I had difficulty to make RADIUS disconnect worked correctly. So this switch template doesn't use NAS-Port
for RADIUS disconnect but relies on Acct-Session-Id
. However it involves to have accounting configured on the switch. Also there is no CoA scope for this switch template, only disconnect scope.
Do you want to submit a patch for Aruba 2930M Perl module ?
If you agree, you can also do some tests on Aruba Switch NG switch template (directly in web admin) and report your results.
Hi @nqb,
I'm no perl expert but after a short peek it looks like only single line needs to be changed.
The 2530 should accept the same CoA Request to bounce a port. At least the Management Guide for the 2530 shows the same CoA profile settings as for the 2930F/M (page 213).
I will go ahead and try to create my first patch ;)
Just to avoid any confusion. Are you trying to bounce a port using CoA or just trigger a new RADIUS request using CoA ?
Generally speaking I have now preference and both are ok for me as an action when a security event is triggered. In fact I am using the 2930M Perl module.
I saw the CoA-Nak responses in the audit log when my test node reached the bandwidth limit. So I took a packet trace. In these requests I the HPE-Bounce-Host-Port attribute was set. But didn't work because the NAS-Port attribute was missing.
I haven't seen any request with a session id (Acct-Session-Id).
Did a quick test: I changed the switch type from Aruba::2930M to Aruba::ArubaSwitchNG. Now a CoA-disconnect packet is sent and acknowledged by the switch when the Bandwidth Limit security event is trigged.
For whatever reason the Aruba:2930M module sends a CoA bounce request if the same security event is trigged (which fails):
RADIUS Request
Calling-Station-Id = 68-99-cd-xx-xx-xx "
User-Name = 6899cdxxxxxx "
**NAS-Port-Id = 37 "**
NAS-IP-Address = 19x.1xx.xx.xxx",HP-Port-Bounce-Host = 12
RADIUS Reply
Event-Timestamp = 1621529159 "
Code = CoA-NAK "
**Error-Cause = Invalid-Request**
Note: Using radclient to replay that same request, but changing NAS-Port-Id to NAS-Port worked.
The ArubaSwitchNG sends a disconnect request in the same situation:
RADIUS Request
Acct-Session-Id = 001100000025 "
NAS-IP-Address = 192.xxx.xx.xxx "
Calling-Station-Id = 68-99-CD-xx-xx-xx "
User-Name = 6899cdxxxxxx",
RADIUS Reply
Acct-Terminate-Cause = Admin-Reset "
Event-Timestamp = 1621527970 "
Code = Disconnect-ACK
I will use the ArubaSwitchNG for now. And try to fix the 2930M module.
Weird, i did the code based on the switch version WC.16.08.0018 and the NAS-Port-Id was the only way to make it work.
I tried to solve this issue by creating a new switch template which:
to send disconnect messages but I hit following limitation: #6434
Until this issue is not solved, anyone can switch to Aruba Switch NG
switch template and enable accounting on switch. RADIUS Disconnect will work.
Describe the bug Radius CoA request sent to Aruba 2930 always failed (COA-Nak received).
To Reproduce Steps to reproduce the behavior:
Expected behavior Receive COA-Ack and port should be bounced for 12 seconds
Additional context Changing the COA item NAS-Port-Id to NAS-Port returned the expected COA-Ack and the switch port was bounced as expected. See Aruba 2930F / 2930M Access Security Guide for ArubaOS-Switch 16.10 (https://asp.arubanetworks.com/downloads/documents/RmlsZTo1MDk5ODgzYS0xOTk4LTExZWItODlmNS05YmMwYzMwODM4ZDU%3D) on page 152 for details: NAS-Port-Id should be Nas-Port.