client does not renew IP after RADIUS COA disconnect
I have been testing RADIUS change of authorization on Ubiquiti wireless. I have tested this on Ubuntu 19.04 as well as Ubuntu 19.10 and the behavior is the same on both as well as when testing on Debian or Fedora. FWIW this is working with a Windows 10 or Android client connected to the same wireless SSID on the same wireless AP, so this does not seem to be a configuration issue on the AP from what I can see. Below are the logs from the Ubuntu client as well as the RADIUS server. Please let me know if any further info is needed or if this behavior is expected. Log info is below. Thanks!
ubuntu@
Mar 26 21:28:30 ubuntu NetworkManager[
Client sends an Access-Request to RADIUS server:
Thu Mar 26 17:29:13 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x022900061500
State = 0x4cc366d24aea7
Thu Mar 26 17:29:13 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x022a008415001
State = 0x4cc366d24be97
Authentication succeeds and VLAN 230 is returned to client with Access-Accept:
Thu Mar 26 17:29:13 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:29:13 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)
Thu Mar 26 17:29:13 2020
Packet-Type = Access-Accept
User-Name = "dshields"
EAP-MSK = 0x0e4b4cd48f891
EAP-EMSK = 0x55d0a72ab01bd
EAP-Message = 0x032b0004
Laptop sends a DHCP request and gets an IP in VLAN 230:
Mar 26 21:29:13 ubuntu NetworkManager[
Mar 26 21:29:13 ubuntu NetworkManager[
Mar 26 21:29:13 ubuntu dhclient[2626]: DHCPDISCOVER on wlp2s0b1 to 255.255.255.255 port 67 interval 3 (xid=0x6bec8061)
Mar 26 21:29:13 ubuntu dhclient[2626]: DHCPOFFER of 10.103.230.59 from 10.103.230.1
Mar 26 21:29:13 ubuntu dhclient[2626]: DHCPREQUEST for 10.103.230.59 on wlp2s0b1 to 255.255.255.255 port 67 (xid=0x6180ec6b)
Mar 26 21:29:13 ubuntu dhclient[2626]: DHCPACK of 10.103.230.59 from 10.103.230.1 (xid=0x6bec8061)
Mar 26 21:29:13 ubuntu NetworkManager[
Mar 26 21:29:13 ubuntu NetworkManager[
Mar 26 21:29:13 ubuntu NetworkManager[
Mar 26 21:29:13 ubuntu NetworkManager[
Mar 26 21:29:13 ubuntu NetworkManager[
Mar 26 21:29:13 ubuntu NetworkManager[
Mar 26 21:29:13 ubuntu NetworkManager[
Mar 26 21:32:15 ubuntu NetworkManager[
Mar 26 21:32:15 ubuntu NetworkManager[
Thu Mar 26 17:32:27 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x0277008415001
State = 0xa57d9cc1a20a8
Thu Mar 26 17:32:27 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x0278004b15001
State = 0xa57d9cc1ad058
Thu Mar 26 17:32:27 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:32:27 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)
Thu Mar 26 17:32:27 2020
Packet-Type = Access-Accept
User-Name = "dshields"
EAP-MSK = 0x8be2c10500aea
EAP-EMSK = 0x04ba0ef6a922d
EAP-Message = 0x03780004
Mar 26 21:32:27 ubuntu NetworkManager[
Mar 26 21:32:27 ubuntu NetworkManager[
Mar 26 21:32:27 ubuntu dhclient[4658]: DHCPREQUEST for 10.103.230.59 on wlp2s0b1 to 255.255.255.255 port 67 (xid=0x41dc1160)
Mar 26 21:32:27 ubuntu dhclient[4658]: DHCPACK of 10.103.230.59 from 10.103.230.1 (xid=0x6011dc41)
Mar 26 21:32:27 ubuntu NetworkManager[
Mar 26 21:32:27 ubuntu NetworkManager[
Mar 26 21:32:27 ubuntu NetworkManager[
Mar 26 21:32:27 ubuntu NetworkManager[
Mar 26 21:32:27 ubuntu NetworkManager[
Mar 26 21:32:27 ubuntu NetworkManager[
Mar 26 21:32:27 ubuntu NetworkManager[
COA disconnect is sent to NAS(access pouint) by RADIUS server:
2020-03-26 17:33:00 : Invoked with arguments -m 3859f9815c98 -o SC_Compliant_Role -n SC_Quarantine_Test 10.100.10.235
2020-03-26 17:33:00 : Found username dshields for MAC address 3859f9815c98
2020-03-26 17:33:00 : Found NAS-Port 0 for MAC address 3859f9815c98
2020-03-26 17:33:00 : Found NAS-Identifier 7483c28d26de for MAC address 3859f9815c98
2020-03-26 17:33:00 : Sending disconnect for attributes (User-Name=
Sending Disconnect-Request of id 65 to 10.100.10.235 port 3799
User-Name = "dshields"
rad_recv: Disconnect-ACK packet from host 10.100.10.235 port 3799, id=65, length=44
2020-03-26 17:33:00 : Received positive response from NAS, not broadcasting
Client is disconnected and sends an Access-Request to RADIUS server:
Thu Mar 26 17:33:01 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x02b4008415001
State = 0xe7f9d95be04dc
Thu Mar 26 17:33:01 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x02b5004b15001
State = 0xe7f9d95bef4cc
Thu Mar 26 17:33:01 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:33:01 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)
Authentication succeeds and VLAN 240 is returned to client with Access-Accept:
Thu Mar 26 17:33:01 2020
Packet-Type = Access-Accept
User-Name = "dshields"
EAP-MSK = 0x67b4f84b9ad40
EAP-EMSK = 0x3ee38f76ab419
EAP-Message = 0x03b50004
At this point I would expect the client to send a DHCPDISCOVER in order to obtain an IP address, but this does not happen. The client retains the IP address in VLAN 230 and therefore is unable to route as the AP has changed the client's VLAN to 240 per the Access-Accept from the RADIUS server.
The same behavior is seen upon sending subsequent COA-disconnects to the NAS (access-point), the AP applies the correct VLAN to the client per the Access-Accept, but the client remains in VLAN 230 with the same IP and cannot route when the AP applies VLAN 240.
2020-03-26 17:35:09 : Invoked with arguments -m 3859f9815c98 -o SC_Quarantine_Test -n SC_Compliant_Role 10.100.10.235
2020-03-26 17:35:09 : Found username dshields for MAC address 3859f9815c98
2020-03-26 17:35:09 : Found NAS-Port 0 for MAC address 3859f9815c98
2020-03-26 17:35:09 : Found NAS-Identifier 7483c28d26de for MAC address 3859f9815c98
2020-03-26 17:35:09 : Sending disconnect for attributes (User-Name=
Sending Disconnect-Request of id 48 to 10.100.10.235 port 3799
User-Name = "dshields"
rad_recv: Disconnect-ACK packet from host 10.100.10.235 port 3799, id=48, length=44
2020-03-26 17:35:09 : Received positive response from NAS, not broadcasting
Thu Mar 26 17:35:10 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x02ce008415001
State = 0xa0891789a7470
Thu Mar 26 17:35:10 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x02cf004b15001
State = 0xa0891789a8460
Thu Mar 26 17:35:10 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:35:10 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)
Thu Mar 26 17:35:10 2020
Packet-Type = Access-Accept
User-Name = "dshields"
EAP-MSK = 0xf7ef4d596eae8
EAP-EMSK = 0x426eec9a29886
EAP-Message = 0x03cf0004
2020-03-26 17:41:33 : Invoked with arguments -m 3859f9815c98 -o SC_Quarantine_Test -n SC_Compliant_Role 10.100.10.235
2020-03-26 17:41:33 : Found username dshields for MAC address 3859f9815c98
2020-03-26 17:41:33 : Found NAS-Port 0 for MAC address 3859f9815c98
2020-03-26 17:41:33 : Found NAS-Identifier 7483c28d26de for MAC address 3859f9815c98
2020-03-26 17:41:33 : Sending disconnect for attributes (User-Name=
Sending Disconnect-Request of id 12 to 10.100.10.235 port 3799
User-Name = "dshields"
rad_recv: Disconnect-ACK packet from host 10.100.10.235 port 3799, id=12, length=44
2020-03-26 17:41:33 : Received positive response from NAS, not broadcasting
Thu Mar 26 17:41:34 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x02c5008415001
State = 0x09d04bb20e155
Thu Mar 26 17:41:34 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x02c6004b15001
State = 0x09d04bb201165
Thu Mar 26 17:41:34 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:41:34 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)
Thu Mar 26 17:41:34 2020
Packet-Type = Access-Accept
User-Name = "dshields"
EAP-MSK = 0xe232cdbc1a00f
EAP-EMSK = 0xcbe3e40deac3c
EAP-Message = 0x03c60004
2020-03-26 17:42:46 : Invoked with arguments -m 3859f9815c98 -o SC_Compliant_Role -n SC_Quarantine_Test 10.100.10.235
2020-03-26 17:42:46 : Found username dshields for MAC address 3859f9815c98
2020-03-26 17:42:46 : Found NAS-Port 0 for MAC address 3859f9815c98
2020-03-26 17:42:46 : Found NAS-Identifier 7483c28d26de for MAC address 3859f9815c98
2020-03-26 17:42:46 : Sending disconnect for attributes (User-Name=
Sending Disconnect-Request of id 29 to 10.100.10.235 port 3799
User-Name = "dshields"
rad_recv: Disconnect-ACK packet from host 10.100.10.235 port 3799, id=29, length=44
2020-03-26 17:42:46 : Received positive response from NAS, not broadcasting
Thu Mar 26 17:42:47 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x02e7008415001
State = 0x8014591c87f34
Thu Mar 26 17:42:47 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x02e8004b15001
State = 0x8014591c88fc4
Thu Mar 26 17:42:47 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:42:47 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)
Thu Mar 26 17:42:47 2020
Packet-Type = Access-Accept
User-Name = "dshields"
EAP-MSK = 0xac1fbcd292f1b
EAP-EMSK = 0xc0643be41db08
EAP-Message = 0x03e80004
When the wireless connection to the AP is terminated and restarted, only then does the client send a DHCPDISCOVER and an IP in the new VLAN is received.
Mar 26 21:44:38 ubuntu NetworkManager[
Mar 26 21:44:38 ubuntu NetworkManager[
Thu Mar 26 17:44:45 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x02d0008415001
State = 0xde704f4ad9a05
Thu Mar 26 17:44:45 2020
Packet-Type = Access-Request
User-Name = "dshields"
Framed-MTU = 1400
EAP-Message = 0x02d1004b15001
State = 0xde704f4ad6a15
Thu Mar 26 17:44:45 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:44:45 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)
Thu Mar 26 17:44:45 2020
Packet-Type = Access-Accept
User-Name = "dshields"
EAP-MSK = 0x805c3ac354b41
EAP-EMSK = 0x3e1b10ae20fe9
EAP-Message = 0x03d10004
Mar 26 21:44:45 ubuntu NetworkManager[
Mar 26 21:44:45 ubuntu NetworkManager[
Mar 26 21:44:45 ubuntu dhclient[5188]: DHCPREQUEST for 10.103.230.59 on wlp2s0b1 to 255.255.255.255 port 67 (xid=0x77e7dffd)
Mar 26 21:44:45 ubuntu dhclient[5188]: DHCPNAK from 10.103.240.1 (xid=0xfddfe777)
Mar 26 21:44:45 ubuntu NetworkManager[
Mar 26 21:44:45 ubuntu NetworkManager[
Mar 26 21:44:45 ubuntu dhclient[5188]: DHCPDISCOVER on wlp2s0b1 to 255.255.255.255 port 67 interval 3 (xid=0xa64d391d)
Mar 26 21:44:46 ubuntu dhclient[5188]: DHCPOFFER of 10.103.240.56 from 10.103.240.1
Mar 26 21:44:46 ubuntu dhclient[5188]: DHCPREQUEST for 10.103.240.56 on wlp2s0b1 to 255.255.255.255 port 67 (xid=0x1d394da6)
Mar 26 21:44:46 ubuntu dhclient[5188]: DHCPACK of 10.103.240.56 from 10.103.240.1 (xid=0xa64d391d)
Mar 26 21:44:46 ubuntu NetworkManager[
Mar 26 21:44:46 ubuntu NetworkManager[
Mar 26 21:44:46 ubuntu NetworkManager[
Mar 26 21:44:46 ubuntu NetworkManager[
Mar 26 21:44:46 ubuntu NetworkManager[
Mar 26 21:44:46 ubuntu NetworkManager[
Mar 26 21:44:46 ubuntu NetworkManager[
ubuntu@
Question information
- Language:
- English Edit question
- Status:
- Answered
- For:
- Ubuntu Edit question
- Assignee:
- No assignee Edit question
- Last query:
- Last reply:
Can you help with this problem?
Provide an answer of your own, or ask asylum for more information if necessary.