WLC WLAN Authentication from External RADIUS Server

Ahmed Ayaad · ‎12-15-2013

Dears,

How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.

Thanks,

edwjames · ‎12-16-2013

Ahmed,

Here is the wireless controller side of it if this is a Cisco one:

config radius auth rfc3576 {enable

|

disable

}

index

—Enables or disables RFC 3576, which is an extension to the RADIUS protocol that allows dynamic changes to a user session. RFC 3576 includes support for disconnecting users and changing authorizations applicable to a user session and supports disconnect and change-of-authorization (CoA) messages. Disconnect messages cause a user session to be terminated immediately where CoA messages modify session authorization attributes such as data filters.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3se/5700/sec-usr-aaa-xe-3se-5700-book/sec-rad-coa.html

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70sol.html

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Ahmed Ayaad · ‎12-16-2013

thanks for reply but i mean which message External Radius Server can sent to Wireless Lan Controller to disconnect Client Session.

Thanks,

edwjames · ‎12-16-2013

Hi Ahmed,

Its not documented well, but here is it:

CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)

. If a user has to be logged out then, following attributes are expected
  - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value.
         SSH_RADIUS_SERVICE_TYPE_LOGIN(1)
       - SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if 
              we want to delete  particular user  session via particular device 
              (like PDA, Phone or PC)

       - SSH_RADIUS_AVP_USER_NAME(1)

. If a management user has to be logged out then, following attributes
are expected
  - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value
  - SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE 
                      OR
   - SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT
   - SSH_RADIUS_AVP_USER_NAME(1)
   - SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)

Eg:

*Dec 17 12:59:08.926:   Packet contains 14 AVPs:

*Dec 17 12:59:08.926:       AVP[01] User-Name................................user@domain (17 bytes)

*Dec 17 12:59:08.926:       AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes)

*Dec 17 12:59:08.926:       AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)

*Dec 17 12:59:08.926:       AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes)

*Dec 17 12:59:08.926:       AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes)

*Dec 17 12:59:08.926:       AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes)

*Dec 17 12:59:08.926:       AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)

*Dec 17 12:59:08.926:       AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)

*Dec 17 12:59:08.926:       AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)

*Dec 17 12:59:08.926:       AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)

*Dec 17 12:59:08.926:       AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes)

*Dec 17 12:59:08.926:       AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)

*Dec 17 12:59:08.926:       AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes)

*Dec 17 12:59:08.926:       AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes)

 

*Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0

*Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249

*Dec 17 12:59:34.044:   Packet contains 6 AVPs:

*Dec 17 12:59:34.044:       AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)

*Dec 17 12:59:34.044:       AVP[02] User-Name................................user@domain (17 bytes)

*Dec 17 12:59:34.044:       AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)

*Dec 17 12:59:34.044:       AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes)

*Dec 17 12:59:34.044:       AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes)

*Dec 17 12:59:34.044:       AVP[06] Service-Type.............................0x00000001 (1) (4 bytes)

*Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid)

*Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799

*Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

ivan.yarygin · ‎09-09-2014

Hello, Ed!

What is the format of messages for CoA? I've added User-Name and Service-Type, but WLC wants somewhat other:

*radiusRFC3576TransportThread: Sep 09 18:48:18.990: Invalid attributes received in 'RFC-3576 CoA-Request' from 11.1.7.240