Re: COA messages troubleshooting

Alexs20 · ‎10-24-2023

Hi everybody

I have a question about CoA messages.

I am following this document:

https://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/15-e/san-coa-supp.html

And my question is about how can I troubleshoot the reason for not answering to CoA messages?

For example, when I am targeting session that does not exist already, instead of return NAK the access point just keep silence, and on my side i have zero knowledge about what went wrong, it because of time drift? or maybe network problem? or i am sending bad message.

The Log/Events section in Meraki Cloud is also keep full silence about what is going on and why AP is not answering.

How can I troubleshoot such cases and force the AP to respond? Is it possible to just send a test Coa to AP just to make sure that at least no problems in the network? Any PONG-PONG coa message? Anything?

Thanks.

Raphael_L · ‎10-24-2023

Are you sure that the CoA is reaching your APs ? Can you see it with a LAN packet capture ?

Alexs20 · ‎10-24-2023

Yes. When I am targeting a real session then I am getting the AK message back.

aleabrahao · ‎10-24-2023

What exactly do you want to solve, can you give more details about your scenario? Authentication type for example.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Alexs20 · ‎10-24-2023

I am trying to find a way to test that my messages are reaching the AP without using any session for that.

Imagine I have a site with 100 APs installed. And I want to send "TEST" COA to all of them and see if I get response from all of them - just to make sure that there is no issues with passing UDP traffic from my service to all APs.

aleabrahao · ‎10-24-2023

Maybe it can help a little.

https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Alexs20 · ‎10-24-2023

Yeah, I know how CoA and Disconnects work. And from my experience there is a way to implement what I am trying to do. The proper way to do that is to send CoA with either Calling-Station-Id or Acct-Session-Id set mac address that does not exist, like 00:00:00:00:00:00 or FF:FF:FF:FF:FF:FF, and in that case, if the remote device implemented the CoA protocol correctly, the device will respond with NAK and message saying that Session context not found...

But looks like Meraki is again trying to invent their own rules and instead of just sending the NAK ignoring the request

Raphael_L · ‎10-24-2023

Is it referenced in the RFC ? If so , open a case. Else , that might be "expected"

aleabrahao · ‎10-24-2023

It seems like you always have an answer ready, well in your case I suggest opening a support case.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Alexs20 · ‎10-24-2023

yeah, I am a getting all that a bit emotionally because this is not the first "anomaly" that i see, and because of the time limits that i have to finish the integration i cannot play with support cases and wait for fixes and make another try, i need the solution asap, and every time i change the direction and trying to go around the problem i am hitting another wall.

--EDIT--

I am also sure for 99.999% that any my request to support will end up with response that this is how it is designed to be, already tried with several cases, so just a wasting of time, if it doesn't work as expected, then ok, it doesn't work... 😕

Rasmus Hoffmann Birkelund · ‎10-25-2023

If you enable RADIUS testing on the SSID, the APs will regularly be sending an Access-Request with "meraki_802.1x_test" identity. A test is considered succesful if the AP gets any response (Challenge, Accept/Reject). If no response is provided for the Access-Request, a failure is considered, and the Dashboard will raise an Alert. This is all described per documentation; https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Alert_-_Recent_802.1X_Failure

But, as I understand, rather than relying on Meraki RADIUS testing form AP to RADIUS server, you'd rather like to send a CoA to the AP instead, inorder to test connectivity? I'm not familiar with the RFC, so I'll take your word that if a CoA is sent, the AP ought to respond with a NAK whether or not the CoA is valid or not, and use this to monitor connectivity to the APs?

What type of encryption is your SSID using?

Also, according to the CoA documentation (https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)_on_MR_Access_Points) it's recommended to enable Cisco ISE, regardless if you're using ISE or not, for CoA.

#########
LinkedIn ::: https://blog.rhbirkelund.dk/
Like what you see? - Mark as helpful ## Did it answer your question? - Mark it as a Solution 🙂
All code examples are provided as is. Responsibility for Code execution is solely your own.