topic WLC WLAN Authentication from External RADIUS Server in Network Access Control

WLC WLAN Authentication from External RADIUS Server

Ahmed Ayaad — Mon, 11 Mar 2019 04:11:29 GMT

Dears,

How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.

Thanks,

WLC WLAN Authentication from External RADIUS Server

edwjames — Mon, 16 Dec 2013 11:51:00 GMT

Ahmed,

Here is the wireless controller side of it if this is a Cisco one:

config radius auth rfc3576 {enable

disable

}

index

—Enables or disables RFC 3576, which is an extension to the RADIUS protocol that allows dynamic changes to a user session. RFC 3576 includes support for disconnecting users and changing authorizations applicable to a user session and supports disconnect and change-of-authorization (CoA) messages. Disconnect messages cause a user session to be terminated immediately where CoA messages modify session authorization attributes such as data filters.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3se/5700/sec-usr-aaa-xe-3se-5700-book/sec-rad-coa.html

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70sol.html

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

WLC WLAN Authentication from External RADIUS Server

Ahmed Ayaad — Mon, 16 Dec 2013 13:35:26 GMT

thanks for reply but i mean which message External Radius Server can sent to Wireless Lan Controller to disconnect Client Session.

Thanks,

Re: WLC WLAN Authentication from External RADIUS Server

edwjames — Tue, 17 Dec 2013 00:12:07 GMT

Hi Ahmed,

Its not documented well, but here is it:

CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)

. If a user has to be logged out then, following attributes are expected
  - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value.
         SSH_RADIUS_SERVICE_TYPE_LOGIN(1)
       - SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if 
              we want to delete  particular user  session via particular device 
              (like PDA, Phone or PC)

       - SSH_RADIUS_AVP_USER_NAME(1)

. If a management user has to be logged out then, following attributes
are expected
  - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value
  - SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE 
                      OR
   - SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT
   - SSH_RADIUS_AVP_USER_NAME(1)
   - SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)

Eg:

*Dec 17 12:59:08.926:   Packet contains 14 AVPs:

*Dec 17 12:59:08.926:       AVP[01] User-Name................................user@domain (17 bytes)

*Dec 17 12:59:08.926:       AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes)

*Dec 17 12:59:08.926:       AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)

*Dec 17 12:59:08.926:       AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes)

*Dec 17 12:59:08.926:       AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes)

*Dec 17 12:59:08.926:       AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes)

*Dec 17 12:59:08.926:       AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)

*Dec 17 12:59:08.926:       AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)

*Dec 17 12:59:08.926:       AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)

*Dec 17 12:59:08.926:       AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)

*Dec 17 12:59:08.926:       AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes)

*Dec 17 12:59:08.926:       AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)

*Dec 17 12:59:08.926:       AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes)

*Dec 17 12:59:08.926:       AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes)

 

*Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0

*Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249

*Dec 17 12:59:34.044:   Packet contains 6 AVPs:

*Dec 17 12:59:34.044:       AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)

*Dec 17 12:59:34.044:       AVP[02] User-Name................................user@domain (17 bytes)

*Dec 17 12:59:34.044:       AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)

*Dec 17 12:59:34.044:       AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes)

*Dec 17 12:59:34.044:       AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes)

*Dec 17 12:59:34.044:       AVP[06] Service-Type.............................0x00000001 (1) (4 bytes)

*Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid)

*Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799

*Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

Hello, Ed!What is the format

ivan.yarygin — Tue, 09 Sep 2014 14:58:12 GMT

Hello, Ed!

What is the format of messages for CoA? I've added User-Name and Service-Type, but WLC wants somewhat other:

*radiusRFC3576TransportThread: Sep 09 18:48:18.990: Invalid attributes received in 'RFC-3576 CoA-Request' from 11.1.7.240