RADIUS CoA on CnMaestro-On Premises as Radius Proxy not working!

Hi,

We have a cnMaestro on-Premises 2.2 running on Azure with a IP Public Address, everything working fine, with External Captive Portal and External Radius Server. cnMaestro is working as a RADIUS Proxy, and all the RADIUS AAA is working fine. However, we are in trouble because we are not able to make the RADIUS CoA work.

I have followed the following document  (that BTW is very well explained):

https://community.cambiumnetworks.com/t5/cnPilot-E-Series-Enterprise-APs/Configuring-Dynamic-Authorization-CoA-on-cnPilot-E-series-Device/m-p/74416

As in the document is explained, for example for a CoA Disconnect:

"Here is the list of attributes which cnPilot AP expects in a CoA or Disconnect Request :

  • User name
  • NAS-IP-Address
  • Calling Station ID"

Considering this, our problem is that we are not able to get the NAS-IP -Address in our scenario, so we cannont send CoA Disconnects.

Our scenario is simple:

- CnMaestro on premises running on a VM with a Public IP Address

- RADIUS Server running in another VM with another Public IP Address

- AP in our Lab, with 192.168.1.100 private address, managed by cnMaestro. Brige mode, not NAT to the users.

- Mobile in our Lab, connected to that AP, with 192.168.1.56.

As per the documentation, we habe to obtain the NAS-IP-Address, but this info is not arriving.

This is a complete RADIUS transaction messages when a user connects to the WiFi:

1) Access-Request. cnMaestro to Radius Server message

   RADIUS Authentication transaction 
Client address [cnMaestro-Public-Address]
NAS address [10.129.12.242] ---> What is this IP? This is not our local IP Address. ¿Is an alias?
User = CAMBIUM_F6P3G
Code = Access request
Called-Station-Id = 58-C1-7A-9C-**-**:CAMBIUM_HOTSPOT2 --> MAC and SSID of the AP
NAS-IP-Address = 10.129.12.242
.................

2) Access-Accept. Radius Server to cnMaestro message

   RADIUS Accounting transaction 
Client address [cnMaestro-Public-Address] NAS address [10.129.12.242] User = CAMBIUM_F6P3G Code = Access accept Session-Timeout = 172800 Bandwidth-Max-Down = 10000000 Bandwidth-Max-Up = 10000000 CAMB-WIFI-QUOTA-TOTAL = 104857600 Acct-Interim-Interval = 30 Idle-Timeout = 900 CAMB-WIFI-QUOTA-TOTAL-GIGAWORD = 5 Proxy-State = 0x00000FC635383A43313A37413A39433A31443A304110/9/2019
.................

3) Accounting-Start (Request & Response)

  RADIUS Accounting transaction 
Client address [cnMaestro-Public-Address]
NAS address [0.0.0.0] --> NAS IP Address is Null?
Code = Accounting request
Acct-Status-Type = Start
User-Name = CAMBIUM_F6P3G
Framed-IP-Address = 192.168.1.56 --> IP address of the mobile device
Calling-Station-Id = 54-40-AD-1C-**-**
Called-Station-Id = 58-C1-7A-9C-1D-**:**CAMBIUM_HOTSPOT2
Proxy-State = 0x000085D835383A43313A37413A39433A31443A3041

Client address [cnMaestro-Public-Address]
NAS address [0.0.0.0]
UniqueID=3854
Realm = 205_CAMBIUM_TEST
User = CAMBIUM_F6P3G
Code = Accounting response
Proxy-State = 0x000085D835383A43313A37413A39433A31443A3041

4) Accounting Interim: Request & Response

RADIUS Accounting transaction 
Client address [cnMaestro-Public-Address]
NAS address [0.0.0.0]
User = CAMBIUM_F6P3G
Code = Accounting request
Acct-Status-Type = Interim
User-Name = CAMBIUM_F6P3G
Framed-IP-Address = 192.168.1.56
Calling-Station-Id = 54-40-AD-1C-**-**
NAS-Identifier = Cambium_CLOUD
NAS-Port-ID = "CAMBIUM_HOTSPOT2"
Called-Station-Id = 58-C1-7A-9C-**-**:CAMBIUM_HOTSPOT2
Acct-Session-Id = "58-C1-7A-9C-1D-0A-B1-EA-E4-55-54-40-AD-1C-49-2B"
Event-Timestamp = Wed Oct 09 16:42:43 2019
Acct-Input-Packets = 4158
Acct-Output-Packets = 4317
Acct-Input-Octets = 533191
Acct-Output-Octets = 5264680
Acct-Session-Time = 30
Proxy-State = 0x000085D835383A43313A37413A39433A31443A3041
Client address [cnMaestro-Public-Address]
NAS address [0.0.0.0]
Realm = 205_CAMBIUM_TEST
User = CAMBIUM_F6P3G
Code = Accounting response
Proxy-State = 0x000085D835383A43313A37413A39433A31443A3041

We are trying to send RADIUS Disconnect but we are missing something....

- ¿Is there any non-compliance between cnMaestro on Premises acting as Proxyand RADIUS CoA? ¿Is it possible to use CoA in this scenario?

-¿Where do you obtain the NAS-IP-Address that appears in the Access Request message? (10.129.12.242). This is not any IP in my scenario. Is some kind of alias to identify the connected devices?

-When I pass the NAS-IP-Address=10.129.12.242 I receive this answer:

{ "error" : "This client matching passed NAS-IP-Address is not enabled for Dynamic Authorization"}

Any clues about this issue? This is the last thinh that is is left to make the Cambium solution work 100% with or scenario.

Thanks a lot in advance

(Radius CoA is enabled in the WLAN section, of course.)

hi,

with your explanation on this query, we assume 802.1x authentication is working and only coa is not working. when prxoy through controller is enabled, by default controller ip will go as nas-ip.

what is the controller public ip?

controller ip static or dynamic?

hope we are using defauly coa port number

hope you have enabled below seetings

on controller: 

1. application -> sesttings -> radius proxy and 

on wlan profile under radius server:

1. dyanmic authorization and 

2. proxy through cnMaestro

where do we see this message, "This client matching passed NAS-IP-Address is not enabled for Dynamic Authorization"

Hi,

As per design, when Radius proxy is enabled Radius "Access-Request" should go with "NAS-IP" as "CnMaestro IP". But for you "Access-Request" goes with NAS-IP as "10.129.12.242", which is not in the range of your private or public IP??

As you mentioned, hope you have already enabled "Dynamic Authorisation" and "Radius proxy through CnMaestro" in WLAN.

Can you please try to config in CnMaestro, Application->Settings-> Radius Proxy->NAS IP= "your CnMaestro public IP". Attached Screenshot.

Also the link you referred,is to send COA without radius proxy. Please ignore it.

Please try below COA command,

Note: For Radius proxy through CnMaestro, "Acct-Session-Id" is mandatory in COA command. You can get it in "Access-Request" packet or radius log.

echo "User-Name=<username>,NAS-IP-Address=<CnMaestro IP>,Acct-Session-Id=58-C1-7A-6E-D8-D1-5D-96-E6-DF-78-7B-8A-9A-9E-77 ,Calling-Station-Id=78-7B-8A-9A-9E-77,NAS-Identifier=E425-6ED8D1" | radclient <CnMaestro IP>:3799 disconnect <shared secret>

If you still face issue, please share the exact version of your CnMaestro and AP.

Thanks,

Divakar

1 Like

Dear all,

Thanks for your reply. Please find below the answers to your questions:

- Version of the cnMaestro on-Premise Controller: 2.1.0r22

- IP Address of cnMaestro: 82.223.253.233 (Public Static)

- Dyamic Authorization: Enabled

- Proxy RADIUS through cnMaestro: Enabled

- Version of the AP:3.9-r3

- Model of the AP: cnPilot E410

- Private address Range (AP and connected devices): 192.168.1.0/24

- hope we are using defauly coa port number: Yes, 3799

"with your explanation on this query, we assume 802.1x authentication is working and only coa is not working" --> CORRECT

"when prxoy through controller is enabled, by default controller ip will go as nas-ip."  --> Linked to the next one

"As per design, when Radius proxy is enabled Radius "Access-Request" should go with "NAS-IP" as "CnMaestro IP". But for you "Access-Request" goes with NAS-IP as "10.129.12.242", which is not in the range of your private or public IP?? --> CORRECT. This is not any of my IP addreses. It is not configured anywhere. I thought it was an alias or something similar. In addition, and as you see in the messages, the "CNMaestro-IP" is not sent in the "NAS-IP" attribute, but in the "Client-Address" attribute.

"Can you please try to config in CnMaestro, Application->Settings-> Radius Proxy->NAS IP= "your CnMaestro public IP"" --> NOT POSSIBLE. Attached screenshot.  In my version that option is not available. In which version is that? I have tried to update cnMaestro both via OVA and via Packages but it is not possible.


"Also the link you referred,is to send COA without radius proxy. Please ignore it. Please try below COA command, --> WOW, this is important.

I tried to followed the most accurate post I found about RADIUS CoA. Do you have a more detailed information about RADIUS CoA via a RADIUS PRoxy. That would be definitely very helpful.

"Try to do echo "User-Name=<username>,NAS-IP-Address=<CnMaestro IP>,Acct-Session-Id=58-C1-7A-6E-D8-D1-5D-96-E6-DF-78-7B-8A-9A-9E-77 ,Calling-Station-Id=78-7B-8A-9A-9E-77,NAS-Identifier=E425-6ED8D1" | radclient <CnMaestro IP>:3799 disconnect <shared secret>"

Everything is OK, but for the moment I am not able to receive NAS-IP-Address=<CnMaestro IP>, so the radtest command is not working :(

Thanks in advance 

IMPORTANT UPDATE:

I have performed the command: "User-Name=<username>,NAS-IP-Address=<CnMaestro IP>,Acct-Session-Id=58-C1-7A-6E-D8-D1-5D-96-E6-DF-78-7B-8A-9A-9E-77 ,Calling-Station-Id=78-7B-8A-9A-9E-77,NAS-Identifier=E425-6ED8D1" | radclient <CnMaestro IP>:3799 disconnect <shared secret>"

Using NAS-IP-Address=<CnMaestro IP> (because I know it), and I confirm that the CoA Disconnect worked! It was a good point to know that the Acct-Session-Id was mandatory, as it did not appear in the documentation I was handling.

So CoA is working. I just have to receive the NAS-IP-Address from the cnMaestro so I don´t have tu put this command manually in the RADIUS Server.

Everything is OK, but for the moment I am not able to receive NAS-IP-Address=<CnMaestro IP>, so the radtest command is not working :(