If you want to reauthenticate the Wi-Fi user, you have to send the CoA to your Controller or AP, whichever did the authentication. The Switch is only relevant for wired clients. If there is a "Reauthenticate now" button on the switch, it is not meant to be CoA because this authentication can be directly triggered by the Authenticator. CoA is intended to be triggered by the authentication server to the authenticator. And again: The switch is the Authenticator for wired clients, the Controller/AP is the Authenticator for wireless clients.

Thank you for your response, but I would like to clarify a few things.

In my setup, the Aruba P22 AP is connected to the Cisco SG 550X switch, and the switch communicates with the FreeRADIUS server. I understand that for Wi-Fi clients, the AP (or controller) acts as the authenticator, and for wired clients, the switch is the authenticator.

Regarding the CoA request, I believe there may have been some confusion. Since the AP is connected to the switch, when I send a CoA request from FreeRADIUS, it should go through the switch to reach the AP, as the AP is directly linked to it.

That being said, I will further investigate how to trigger a CoA or PoD request directly from the AP, as it seems that sending it from FreeRADIUS to the AP through the switch can be the correct approach, need to know now if i have a console command or something like that on my aruba i don't think so.

I appreciate your insights and will look into this further.

Hi all,

Just to clarify, I have FreeRADIUS, a Cisco SG 550X-48P switch, and an Aruba P22 access point. I am using dynamic EAP-TLS authentication, and VLANs are being assigned dynamically based on AD groups via LDAP, which works correctly for both Wi-Fi and Ethernet connections.

What I’m trying to do now is disconnect a specific user from the Wi-Fi network. I came across the "Reauthenticate Now" button on the switch, which works, but it does not seem to utilize PoD (Packet of Disconnect) or CoA (Change of Authorization) as I initially thought. When I tried sending a CoA request from the RADIUS server, it didn’t work, and that’s when I attempted to send a disconnect request directly from the switch. However, I couldn’t find any relevant command for that in the documentation.

The issue with the "Reauthenticate Now" button is that it does not actually trigger PoD or CoA, but instead simply forces a reauthentication of the client, which doesn’t achieve the same result as disconnecting or deauthorizing the user from the network. Furthermore, the "Reauthenticate Now" button works only for wired connections, and to disconnect a Wi-Fi user, I would first need to revoke the user's certificate, then "reenable" authentication using the button.

I also tried reauthenticating on the port where my Aruba P22 is connected, but it doesn’t seem to reauthenticate the users, possibly due to the fact that the authorization timeout is set to 1 hour.

As I work in a fairly large company, this approach doesn’t solve the problem for Wi-Fi users, and it’s quite time-consuming to implement for every user.

I’ve reviewed the switch documentation thoroughly, but I didn’t find any mention of PoD or CoA functionality. Could you confirm whether there is any other way to disconnect a Wi-Fi user or if these features are simply not supported by the switch?

Thanks for your help!

Note* i contact the aruba support, and i don't have a cli for make command directly on the aruba