Hi,
We have a cnMaestro on-Premises 2.2 running on Azure with a IP Public Address, everything working fine, with External Captive Portal and External Radius Server. cnMaestro is working as a RADIUS Proxy, and all the RADIUS AAA is working fine. However, we are in trouble because we are not able to make the RADIUS CoA work.
I have followed the following document (that BTW is very well explained):
As in the document is explained, for example for a CoA Disconnect:
"Here is the list of attributes which cnPilot AP expects in a CoA or Disconnect Request :
- User name
- NAS-IP-Address
- Calling Station ID"
Considering this, our problem is that we are not able to get the NAS-IP -Address in our scenario, so we cannont send CoA Disconnects.
Our scenario is simple:
- CnMaestro on premises running on a VM with a Public IP Address
- RADIUS Server running in another VM with another Public IP Address
- AP in our Lab, with 192.168.1.100 private address, managed by cnMaestro. Brige mode, not NAT to the users.
- Mobile in our Lab, connected to that AP, with 192.168.1.56.
As per the documentation, we habe to obtain the NAS-IP-Address, but this info is not arriving.
This is a complete RADIUS transaction messages when a user connects to the WiFi:
1) Access-Request. cnMaestro to Radius Server message
RADIUS Authentication transaction Client address [cnMaestro-Public-Address] NAS address [10.129.12.242] ---> What is this IP? This is not our local IP Address. ¿Is an alias? User = CAMBIUM_F6P3G Code = Access request Called-Station-Id = 58-C1-7A-9C-**-**:CAMBIUM_HOTSPOT2 --> MAC and SSID of the AP NAS-IP-Address = 10.129.12.242
.................
2) Access-Accept. Radius Server to cnMaestro message
RADIUS Accounting transaction
Client address [cnMaestro-Public-Address] NAS address [10.129.12.242] User = CAMBIUM_F6P3G Code = Access accept Session-Timeout = 172800 Bandwidth-Max-Down = 10000000 Bandwidth-Max-Up = 10000000 CAMB-WIFI-QUOTA-TOTAL = 104857600 Acct-Interim-Interval = 30 Idle-Timeout = 900 CAMB-WIFI-QUOTA-TOTAL-GIGAWORD = 5 Proxy-State = 0x00000FC635383A43313A37413A39433A31443A304110/9/2019
.................
3) Accounting-Start (Request & Response)
RADIUS Accounting transaction Client address [cnMaestro-Public-Address] NAS address [0.0.0.0] --> NAS IP Address is Null? Code = Accounting request Acct-Status-Type = Start User-Name = CAMBIUM_F6P3G Framed-IP-Address = 192.168.1.56 --> IP address of the mobile device Calling-Station-Id = 54-40-AD-1C-**-** Called-Station-Id = 58-C1-7A-9C-1D-**:**CAMBIUM_HOTSPOT2 Proxy-State = 0x000085D835383A43313A37413A39433A31443A3041Client address [cnMaestro-Public-Address]
NAS address [0.0.0.0]
UniqueID=3854
Realm = 205_CAMBIUM_TEST
User = CAMBIUM_F6P3G
Code = Accounting response
Proxy-State = 0x000085D835383A43313A37413A39433A31443A3041
4) Accounting Interim: Request & Response
RADIUS Accounting transaction Client address [cnMaestro-Public-Address] NAS address [0.0.0.0] User = CAMBIUM_F6P3G Code = Accounting request Acct-Status-Type = Interim User-Name = CAMBIUM_F6P3G Framed-IP-Address = 192.168.1.56 Calling-Station-Id = 54-40-AD-1C-**-** NAS-Identifier = Cambium_CLOUD NAS-Port-ID = "CAMBIUM_HOTSPOT2" Called-Station-Id = 58-C1-7A-9C-**-**:CAMBIUM_HOTSPOT2 Acct-Session-Id = "58-C1-7A-9C-1D-0A-B1-EA-E4-55-54-40-AD-1C-49-2B" Event-Timestamp = Wed Oct 09 16:42:43 2019 Acct-Input-Packets = 4158 Acct-Output-Packets = 4317 Acct-Input-Octets = 533191 Acct-Output-Octets = 5264680 Acct-Session-Time = 30 Proxy-State = 0x000085D835383A43313A37413A39433A31443A3041 Client address [cnMaestro-Public-Address] NAS address [0.0.0.0] Realm = 205_CAMBIUM_TEST User = CAMBIUM_F6P3G Code = Accounting response Proxy-State = 0x000085D835383A43313A37413A39433A31443A3041
We are trying to send RADIUS Disconnect but we are missing something....
- ¿Is there any non-compliance between cnMaestro on Premises acting as Proxyand RADIUS CoA? ¿Is it possible to use CoA in this scenario?
-¿Where do you obtain the NAS-IP-Address that appears in the Access Request message? (10.129.12.242). This is not any IP in my scenario. Is some kind of alias to identify the connected devices?
-When I pass the NAS-IP-Address=10.129.12.242 I receive this answer:
{ "error" : "This client matching passed NAS-IP-Address is not enabled for Dynamic Authorization"}
Any clues about this issue? This is the last thinh that is is left to make the Cambium solution work 100% with or scenario.
Thanks a lot in advance
(Radius CoA is enabled in the WLAN section, of course.)