topic Re: COA messages troubleshooting in Wireless

COA messages troubleshooting

Alexs20 — Tue, 24 Oct 2023 17:54:55 GMT

Hi everybody

I have a question about CoA messages.

I am following this document:

https://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/15-e/san-coa-supp.html

And my question is about how can I troubleshoot the reason for not answering to CoA messages?

For example, when I am targeting session that does not exist already, instead of return NAK the access point just keep silence, and on my side i have zero knowledge about what went wrong, it because of time drift? or maybe network problem? or i am sending bad message.

The Log/Events section in Meraki Cloud is also keep full silence about what is going on and why AP is not answering.

How can I troubleshoot such cases and force the AP to respond? Is it possible to just send a test Coa to AP just to make sure that at least no problems in the network? Any PONG-PONG coa message? Anything?

Thanks.

Re: COA messages troubleshooting

Raphael_L — Tue, 24 Oct 2023 17:57:43 GMT

Are you sure that the CoA is reaching your APs ? Can you see it with a LAN packet capture ?

Re: COA messages troubleshooting

aleabrahao — Tue, 24 Oct 2023 18:00:23 GMT

What exactly do you want to solve, can you give more details about your scenario? Authentication type for example.

Re: COA messages troubleshooting

Alexs20 — Tue, 24 Oct 2023 18:03:56 GMT

Yes. When I am targeting a real session then I am getting the AK message back.

Re: COA messages troubleshooting

Alexs20 — Tue, 24 Oct 2023 18:07:30 GMT

I am trying to find a way to test that my messages are reaching the AP without using any session for that.

Imagine I have a site with 100 APs installed. And I want to send "TEST" COA to all of them and see if I get response from all of them - just to make sure that there is no issues with passing UDP traffic from my service to all APs.

Re: COA messages troubleshooting

aleabrahao — Tue, 24 Oct 2023 18:10:20 GMT

Maybe it can help a little.

https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/

Re: COA messages troubleshooting

Alexs20 — Tue, 24 Oct 2023 19:00:06 GMT

Yeah, I know how CoA and Disconnects work. And from my experience there is a way to implement what I am trying to do. The proper way to do that is to send CoA with either Calling-Station-Id or Acct-Session-Id set mac address that does not exist, like 00:00:00:00:00:00 or FF:FF:FF:FF:FF:FF, and in that case, if the remote device implemented the CoA protocol correctly, the device will respond with NAK and message saying that Session context not found...

But looks like Meraki is again trying to invent their own rules and instead of just sending the NAK ignoring the request

Re: COA messages troubleshooting

Raphael_L — Tue, 24 Oct 2023 19:03:10 GMT

Is it referenced in the RFC ? If so , open a case. Else , that might be "expected"

Re: COA messages troubleshooting

aleabrahao — Tue, 24 Oct 2023 19:15:16 GMT

It seems like you always have an answer ready, well in your case I suggest opening a support case.

Re: COA messages troubleshooting

Alexs20 — Tue, 24 Oct 2023 19:37:06 GMT

yeah, I am a getting all that a bit emotionally because this is not the first "anomaly" that i see, and because of the time limits that i have to finish the integration i cannot play with support cases and wait for fixes and make another try, i need the solution asap, and every time i change the direction and trying to go around the problem i am hitting another wall.

--EDIT--

I am also sure for 99.999% that any my request to support will end up with response that this is how it is designed to be, already tried with several cases, so just a wasting of time, if it doesn't work as expected, then ok, it doesn't work... 😕

Re: COA messages troubleshooting

Rasmus Hoffmann Birkelund — Wed, 25 Oct 2023 09:05:12 GMT

If you enable RADIUS testing on the SSID, the APs will regularly be sending an Access-Request with "meraki_802.1x_test" identity. A test is considered succesful if the AP gets any response (Challenge, Accept/Reject). If no response is provided for the Access-Request, a failure is considered, and the Dashboard will raise an Alert. This is all described per documentation; https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Alert_-_Recent_802.1X_Failure

But, as I understand, rather than relying on Meraki RADIUS testing form AP to RADIUS server, you'd rather like to send a CoA to the AP instead, inorder to test connectivity? I'm not familiar with the RFC, so I'll take your word that if a CoA is sent, the AP ought to respond with a NAK whether or not the CoA is valid or not, and use this to monitor connectivity to the APs?

What type of encryption is your SSID using?

Also, according to the CoA documentation (https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)_on_MR_Access_Points) it's recommended to enable Cisco ISE, regardless if you're using ISE or not, for CoA.