Aruba 2930M perl module - CoA request fails

[effertzdv]

Describe the bug Radius CoA request sent to Aruba 2930 always failed (COA-Nak received).

To Reproduce Steps to reproduce the behavior:

1. Send a COA request (e.g. triggered by bandwidth limit exceeded) to a 2930 running ArubaOS 16.09.
2. Always received a COA-Nak, port was not bounced

Expected behavior Receive COA-Ack and port should be bounced for 12 seconds

Additional context Changing the COA item NAS-Port-Id to NAS-Port returned the expected COA-Ack and the switch port was bounced as expected. See Aruba 2930F / 2930M Access Security Guide for ArubaOS-Switch 16.10 (https://asp.arubanetworks.com/downloads/documents/RmlsZTo1MDk5ODgzYS0xOTk4LTExZWItODlmNS05YmMwYzMwODM4ZDU%3D) on page 152 for details: NAS-Port-Id should be Nas-Port.

[nqb]

Hello @effertzdv,

Thanks for your report.

When I created Aruba Switch NG switch template, tested on Aruba 2530 with Aruba OS 16.10, I had difficulty to make RADIUS disconnect worked correctly. So this switch template doesn't use NAS-Port for RADIUS disconnect but relies on Acct-Session-Id. However it involves to have accounting configured on the switch. Also there is no CoA scope for this switch template, only disconnect scope.

Do you want to submit a patch for Aruba 2930M Perl module ?

If you agree, you can also do some tests on Aruba Switch NG switch template (directly in web admin) and report your results.

[effertzdv]

Hi @nqb,

I'm no perl expert but after a short peek it looks like only single line needs to be changed.

The 2530 should accept the same CoA Request to bounce a port. At least the Management Guide for the 2530 shows the same CoA profile settings as for the 2930F/M (page 213).

I will go ahead and try to create my first patch ;)

[nqb]

Just to avoid any confusion. Are you trying to bounce a port using CoA or just trigger a new RADIUS request using CoA ?

[effertzdv]

Generally speaking I have now preference and both are ok for me as an action when a security event is triggered. In fact I am using the 2930M Perl module.

I saw the CoA-Nak responses in the audit log when my test node reached the bandwidth limit. So I took a packet trace. In these requests I the HPE-Bounce-Host-Port attribute was set. But didn't work because the NAS-Port attribute was missing.

I haven't seen any request with a session id (Acct-Session-Id).

Did a quick test: I changed the switch type from Aruba::2930M to Aruba::ArubaSwitchNG. Now a CoA-disconnect packet is sent and acknowledged by the switch when the Bandwidth Limit security event is trigged.

For whatever reason the Aruba:2930M module sends a CoA bounce request if the same security event is trigged (which fails):

RADIUS Request
Calling-Station-Id = 68-99-cd-xx-xx-xx "
User-Name = 6899cdxxxxxx "
**NAS-Port-Id = 37 "**
NAS-IP-Address = 19x.1xx.xx.xxx",HP-Port-Bounce-Host = 12

RADIUS Reply
Event-Timestamp = 1621529159 "
Code = CoA-NAK "
**Error-Cause = Invalid-Request**

Note: Using radclient to replay that same request, but changing NAS-Port-Id to NAS-Port worked.

The ArubaSwitchNG sends a disconnect request in the same situation:

RADIUS Request
Acct-Session-Id = 001100000025 "
NAS-IP-Address = 192.xxx.xx.xxx "
Calling-Station-Id = 68-99-CD-xx-xx-xx "
User-Name = 6899cdxxxxxx",

RADIUS Reply
Acct-Terminate-Cause = Admin-Reset "
Event-Timestamp = 1621527970 "
Code = Disconnect-ACK

I will use the ArubaSwitchNG for now. And try to fix the 2930M module.

[fdurand]

Weird, i did the code based on the switch version WC.16.08.0018 and the NAS-Port-Id was the only way to make it work.

[nqb]

I tried to solve this issue by creating a new switch template which:

• doesn't rely on accounting data
• use NAS-Port RADIUS attribute

to send disconnect messages but I hit following limitation: #6434

Until this issue is not solved, anyone can switch to Aruba Switch NG switch template and enable accounting on switch. RADIUS Disconnect will work.