client does not renew IP after RADIUS COA disconnect

Asked by asylum on 2020-03-27

I have been testing RADIUS change of authorization on Ubiquiti wireless. I have tested this on Ubuntu 19.04 as well as Ubuntu 19.10 and the behavior is the same on both as well as when testing on Debian or Fedora. FWIW this is working with a Windows 10 or Android client connected to the same wireless SSID on the same wireless AP, so this does not seem to be a configuration issue on the AP from what I can see. Below are the logs from the Ubuntu client as well as the RADIUS server. Please let me know if any further info is needed or if this behavior is expected. Log info is below. Thanks!

ubuntu@ubuntu:/var/log$ journalctl | grep -Ei 'dhcp'
Mar 26 21:28:30 ubuntu NetworkManager[1127]: <info> [1585258110.5810] dhcp-init: Using DHCP client 'dhclient'

Client sends an Access-Request to RADIUS server:

Thu Mar 26 17:29:13 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "ABB4DA79B50051CB"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x022900061500
        State = 0x4cc366d24aea73b029eb30b6d6318ffc
        Message-Authenticator = 0x48aef4abde67bc109ce1689d34b292cb
        NAS-IP-Address = 10.100.10.235

Thu Mar 26 17:29:13 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "ABB4DA79B50051CB"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x022a008415001603030046100000424104bbae17c4fd4f2c594c2fe9737cc7919914adc728c0c3080fcf9e0f4cec1e1baced618159446d056286c8ca54ab8eb9142a2b1cfd5c88e110e6a28edf4ce943ed1403030001011603030028c00e45cebb1752d0b5c6323f47be852483a27af729b82ee96e3139d24dfa485e8ffed35de2438d54
        State = 0x4cc366d24be973b029eb30b6d6318ffc
        Message-Authenticator = 0x5d0f1396a39e5b0e1e1a0c6118e1ebea
        NAS-IP-Address = 10.100.10.235

Authentication succeeds and VLAN 230 is returned to client with Access-Accept:

Thu Mar 26 17:29:13 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:29:13 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)

Thu Mar 26 17:29:13 2020
        Packet-Type = Access-Accept
        User-Name = "dshields"
        MS-MPPE-Recv-Key = 0x0e4b4cd48f891763a1f1792c71047066b1fd70914f7212cf011f1a367277cd02
        MS-MPPE-Send-Key = 0xc81a04f1482a75cff7cac78876a95391ab9908d613dd2e2476def943bab5cf4c
        EAP-MSK = 0x0e4b4cd48f891763a1f1792c71047066b1fd70914f7212cf011f1a367277cd02c81a04f1482a75cff7cac78876a95391ab9908d613dd2e2476def943bab5cf4c
        EAP-EMSK = 0x55d0a72ab01bd0a5ec49a6e081fcecff37357ba89f8c25767d8033e529e45b116a9cec3044cef37c20297c60b8b3b345be1248859214586ad9e925545cf88c14
        EAP-Session-Id = 0x15066089550d45a92a0c53f9280e765fbdcf813480da08fdbf5b33de44dd5dc9c15e7d1ea91e31c2135dd3b384f8d628548ab4beb299a79ee60836464d78cfcce5
        EAP-Message = 0x032b0004
        Message-Authenticator = 0x00000000000000000000000000000000
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Tunnel-Type:0 += VLAN
        Tunnel-Medium-Type:0 += IEEE-802
        Tunnel-Private-Group-Id:0 += "230"

Laptop sends a DHCP request and gets an IP in VLAN 230:

Mar 26 21:29:13 ubuntu NetworkManager[1127]: <info> [1585258153.1150] dhcp4 (wlp2s0b1): activation: beginning transaction (timeout in 45 seconds)
Mar 26 21:29:13 ubuntu NetworkManager[1127]: <info> [1585258153.1352] dhcp4 (wlp2s0b1): dhclient started with pid 2626
Mar 26 21:29:13 ubuntu dhclient[2626]: DHCPDISCOVER on wlp2s0b1 to 255.255.255.255 port 67 interval 3 (xid=0x6bec8061)
Mar 26 21:29:13 ubuntu dhclient[2626]: DHCPOFFER of 10.103.230.59 from 10.103.230.1
Mar 26 21:29:13 ubuntu dhclient[2626]: DHCPREQUEST for 10.103.230.59 on wlp2s0b1 to 255.255.255.255 port 67 (xid=0x6180ec6b)
Mar 26 21:29:13 ubuntu dhclient[2626]: DHCPACK of 10.103.230.59 from 10.103.230.1 (xid=0x6bec8061)
Mar 26 21:29:13 ubuntu NetworkManager[1127]: <info> [1585258153.7935] dhcp4 (wlp2s0b1): address 10.103.230.59
Mar 26 21:29:13 ubuntu NetworkManager[1127]: <info> [1585258153.7936] dhcp4 (wlp2s0b1): plen 24 (255.255.255.0)
Mar 26 21:29:13 ubuntu NetworkManager[1127]: <info> [1585258153.7936] dhcp4 (wlp2s0b1): gateway 10.103.230.1
Mar 26 21:29:13 ubuntu NetworkManager[1127]: <info> [1585258153.7936] dhcp4 (wlp2s0b1): lease time 43200
Mar 26 21:29:13 ubuntu NetworkManager[1127]: <info> [1585258153.7936] dhcp4 (wlp2s0b1): nameserver '10.101.3.3'
Mar 26 21:29:13 ubuntu NetworkManager[1127]: <info> [1585258153.7937] dhcp4 (wlp2s0b1): nameserver '8.8.8.8'
Mar 26 21:29:13 ubuntu NetworkManager[1127]: <info> [1585258153.7937] dhcp4 (wlp2s0b1): state changed unknown -> bound
Mar 26 21:32:15 ubuntu NetworkManager[1127]: <info> [1585258335.5457] dhcp4 (wlp2s0b1): canceled DHCP transaction, DHCP client pid 2626
Mar 26 21:32:15 ubuntu NetworkManager[1127]: <info> [1585258335.5458] dhcp4 (wlp2s0b1): state changed bound -> done

Thu Mar 26 17:32:27 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "444FB4C30AF34419"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x02770084150016030300461000004241047c8435590017c1097b85fea5f1fc56f60d0fb11a9f4ccb90926ab6328d15ca23805414ea5bdd89a405ad11c0c442f45c6524206e2c96fb7778cf4b716fad5e0f14030300010116030300285f6dcdf55ab70cbaefbdfab8aa1528be435c55d27fb39920e8e384489d4c22ce5e072360e8122c72
        State = 0xa57d9cc1a20a898c59aff0df9f8dfe43
        Message-Authenticator = 0xf10eea7ba9c9834450a4e117dba4784c
        NAS-IP-Address = 10.100.10.235

Thu Mar 26 17:32:27 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "444FB4C30AF34419"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x0278004b150017030300405f6dcdf55ab70cbb6e27857a2ef52338282f7bc0955d1e907ab847a6452d0c4e276c945701a775e1c893375bdf39719ddde1a0fc17b38e4480a2c49702c3ae8f
        State = 0xa57d9cc1ad05898c59aff0df9f8dfe43
        Message-Authenticator = 0xc17ebf8458874b32795718cfbd9e2210
        NAS-IP-Address = 10.100.10.235

Thu Mar 26 17:32:27 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:32:27 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)

Thu Mar 26 17:32:27 2020
        Packet-Type = Access-Accept
        User-Name = "dshields"
        MS-MPPE-Recv-Key = 0x8be2c10500aea4eb50c8d04400c6b1a875328b71094d091b56feef10d3c35c32
        MS-MPPE-Send-Key = 0x418822e1ec81caa957265129a30f05fdb51e5b75c8c3dab9b2b1087670de67e6
        EAP-MSK = 0x8be2c10500aea4eb50c8d04400c6b1a875328b71094d091b56feef10d3c35c32418822e1ec81caa957265129a30f05fdb51e5b75c8c3dab9b2b1087670de67e6
        EAP-EMSK = 0x04ba0ef6a922d56e84429099f6e8b4c095550f07e7545e3cfcc36e6ba3803e6d612df583eb77d8b847ed432c3c1a5fb19c95a33f16d50213d8ec0ae40fcbc6ad
        EAP-Session-Id = 0x159450251fdfa2cad0d04d431e8d8bcc96d75eb8206b8850a286a579389d3c108c5e7d1f6b739ce2f606cf48329fa6047d670da2b8307cf6e5c31d4094f349c2ec
        EAP-Message = 0x03780004
        Message-Authenticator = 0x00000000000000000000000000000000
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Tunnel-Type:0 += VLAN
        Tunnel-Medium-Type:0 += IEEE-802
        Tunnel-Private-Group-Id:0 += "230"

Mar 26 21:32:27 ubuntu NetworkManager[1127]: <info> [1585258347.4966] dhcp4 (wlp2s0b1): activation: beginning transaction (timeout in 45 seconds)
Mar 26 21:32:27 ubuntu NetworkManager[1127]: <info> [1585258347.5035] dhcp4 (wlp2s0b1): dhclient started with pid 4658
Mar 26 21:32:27 ubuntu dhclient[4658]: DHCPREQUEST for 10.103.230.59 on wlp2s0b1 to 255.255.255.255 port 67 (xid=0x41dc1160)
Mar 26 21:32:27 ubuntu dhclient[4658]: DHCPACK of 10.103.230.59 from 10.103.230.1 (xid=0x6011dc41)
Mar 26 21:32:27 ubuntu NetworkManager[1127]: <info> [1585258347.5552] dhcp4 (wlp2s0b1): address 10.103.230.59
Mar 26 21:32:27 ubuntu NetworkManager[1127]: <info> [1585258347.5552] dhcp4 (wlp2s0b1): plen 24 (255.255.255.0)
Mar 26 21:32:27 ubuntu NetworkManager[1127]: <info> [1585258347.5552] dhcp4 (wlp2s0b1): gateway 10.103.230.1
Mar 26 21:32:27 ubuntu NetworkManager[1127]: <info> [1585258347.5553] dhcp4 (wlp2s0b1): lease time 43200
Mar 26 21:32:27 ubuntu NetworkManager[1127]: <info> [1585258347.5553] dhcp4 (wlp2s0b1): nameserver '10.101.3.3'
Mar 26 21:32:27 ubuntu NetworkManager[1127]: <info> [1585258347.5553] dhcp4 (wlp2s0b1): nameserver '8.8.8.8'
Mar 26 21:32:27 ubuntu NetworkManager[1127]: <info> [1585258347.5553] dhcp4 (wlp2s0b1): state changed unknown -> bound

COA disconnect is sent to NAS(access pouint) by RADIUS server:

2020-03-26 17:33:00 : Invoked with arguments -m 3859f9815c98 -o SC_Compliant_Role -n SC_Quarantine_Test 10.100.10.235
2020-03-26 17:33:00 : Found username dshields for MAC address 3859f9815c98
2020-03-26 17:33:00 : Found NAS-Port 0 for MAC address 3859f9815c98
2020-03-26 17:33:00 : Found NAS-Identifier 7483c28d26de for MAC address 3859f9815c98
2020-03-26 17:33:00 : Sending disconnect for attributes (User-Name=dshields,NAS-Identifier=7483c28d26de) to NAS 10.100.10.235
Sending Disconnect-Request of id 65 to 10.100.10.235 port 3799
        User-Name = "dshields"
        NAS-Identifier = "7483c28d26de"
rad_recv: Disconnect-ACK packet from host 10.100.10.235 port 3799, id=65, length=44
        Event-Timestamp = "Mar 26 2020 17:33:00 EDT"
        Message-Authenticator = 0x7bca986b22d07324da7f42ee6bb4a136
2020-03-26 17:33:00 : Received positive response from NAS, not broadcasting

Client is disconnected and sends an Access-Request to RADIUS server:

Thu Mar 26 17:33:01 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        Framed-IP-Address = 10.103.230.59
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "444FB4C30AF34419"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x02b40084150016030300461000004241042ee2617f689a6ffa0832e699d059622cd1663c1ef59b076ee9ca79b16b85b06612bb2cd72a81670c2baad27087905f386ce313881c93f5ebf6b24605a0b5f0571403030001011603030028240c74d5b394ca6001fc3895a4cb482ede2a158b5e4632c11907b5e9a8744c7a2c2ad9d4b607ced2
        State = 0xe7f9d95be04dcc525194079a989fb5cf
        Message-Authenticator = 0x1d219014a11a7934e7380376264e510b
        NAS-IP-Address = 10.100.10.235

Thu Mar 26 17:33:01 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        Framed-IP-Address = 10.103.230.59
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "444FB4C30AF34419"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x02b5004b15001703030040240c74d5b394ca61a6d7b0c7e0a320d44a30741998b19fd528d6be6a124c4a9797c3f8a544140666e99f71ad5684ed31dd06bc0a96df4f9cbf4144f07e16067a
        State = 0xe7f9d95bef4ccc525194079a989fb5cf
        Message-Authenticator = 0x28b26a37091097cf98936d40053bc24b
        NAS-IP-Address = 10.100.10.235

Thu Mar 26 17:33:01 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:33:01 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)

Authentication succeeds and VLAN 240 is returned to client with Access-Accept:

Thu Mar 26 17:33:01 2020
        Packet-Type = Access-Accept
        User-Name = "dshields"
        MS-MPPE-Recv-Key = 0x67b4f84b9ad403fdc155e5734e5199ac1e89c3a6474dbcc2d6f1a799427bcd0d
        MS-MPPE-Send-Key = 0x86ee0d0536eacc87939e586c04aa82e2c6009c0bbfb43d6e0fc2017029b77057
        EAP-MSK = 0x67b4f84b9ad403fdc155e5734e5199ac1e89c3a6474dbcc2d6f1a799427bcd0d86ee0d0536eacc87939e586c04aa82e2c6009c0bbfb43d6e0fc2017029b77057
        EAP-EMSK = 0x3ee38f76ab4198f3386f66487fc7bde5d2af3c30d6378efa2f75387af3f016588b325626dd5bf6328e29c9d1f3e2bd6c5122ab8832103ed8fc44d2f761e6f614
        EAP-Session-Id = 0x15ebb830061c0662ab3c415f04952751e4357e148556e5fbb31d30d8cc9a1cd5475e7d1f8def61d4cc6f014abc46d5279b5ec199a095ef5e910ff48d17221777e8
        EAP-Message = 0x03b50004
        Message-Authenticator = 0x00000000000000000000000000000000
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Tunnel-Type:0 += VLAN
        Tunnel-Medium-Type:0 += IEEE-802
        Tunnel-Private-Group-Id:0 += "240"

At this point I would expect the client to send a DHCPDISCOVER in order to obtain an IP address, but this does not happen. The client retains the IP address in VLAN 230 and therefore is unable to route as the AP has changed the client's VLAN to 240 per the Access-Accept from the RADIUS server.

The same behavior is seen upon sending subsequent COA-disconnects to the NAS (access-point), the AP applies the correct VLAN to the client per the Access-Accept, but the client remains in VLAN 230 with the same IP and cannot route when the AP applies VLAN 240.

2020-03-26 17:35:09 : Invoked with arguments -m 3859f9815c98 -o SC_Quarantine_Test -n SC_Compliant_Role 10.100.10.235
2020-03-26 17:35:09 : Found username dshields for MAC address 3859f9815c98
2020-03-26 17:35:09 : Found NAS-Port 0 for MAC address 3859f9815c98
2020-03-26 17:35:09 : Found NAS-Identifier 7483c28d26de for MAC address 3859f9815c98
2020-03-26 17:35:09 : Sending disconnect for attributes (User-Name=dshields,NAS-Identifier=7483c28d26de) to NAS 10.100.10.235
Sending Disconnect-Request of id 48 to 10.100.10.235 port 3799
        User-Name = "dshields"
        NAS-Identifier = "7483c28d26de"
rad_recv: Disconnect-ACK packet from host 10.100.10.235 port 3799, id=48, length=44
        Event-Timestamp = "Mar 26 2020 17:35:09 EDT"
        Message-Authenticator = 0xff2e8e924ddb43d9263538bc8de551a2
2020-03-26 17:35:09 : Received positive response from NAS, not broadcasting

Thu Mar 26 17:35:10 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        Framed-IP-Address = 10.103.230.59
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "444FB4C30AF34419"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x02ce008415001603030046100000424104020ed1ff0c5cbd092ef2fe3be99acb6b62822fdacdc8cdaaa427fa863880cf858df1b60b996db438452832e089259f3cb9eb0e7b05346e783980998ed0f5176d1403030001011603030028d1edcc23ac0f6f59501435f88cc0ef56299ea479991009f5da7da7fe55a8695e297d6d76a7e852bb
        State = 0xa0891789a747022c6ce573d4adbb4733
        Message-Authenticator = 0x9a7d1d52aadcf2c164cf33821ccc6e6a
        NAS-IP-Address = 10.100.10.235

Thu Mar 26 17:35:10 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        Framed-IP-Address = 10.103.230.59
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "444FB4C30AF34419"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x02cf004b15001703030040d1edcc23ac0f6f5af17d8019dac5f84c630cb42ee55a5f5198e808cf99a44cae31d83e8307b8391026ea8a35a55a46eb0d6443f2e7ae972fe959b07a4eeda01a
        State = 0xa0891789a846022c6ce573d4adbb4733
        Message-Authenticator = 0xf8ea8a7ae4f2e94b25875ae8f6359823
        NAS-IP-Address = 10.100.10.235

Thu Mar 26 17:35:10 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:35:10 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)

Thu Mar 26 17:35:10 2020
        Packet-Type = Access-Accept
        User-Name = "dshields"
        MS-MPPE-Recv-Key = 0xf7ef4d596eae8a14bf141874cc8c15234389e9f17ce675179bce3df0282db43c
        MS-MPPE-Send-Key = 0x6b46fd98b26effd97261c850af51b1df0f4e61bf3a00b9462dc3d4e1fdb75d7b
        EAP-MSK = 0xf7ef4d596eae8a14bf141874cc8c15234389e9f17ce675179bce3df0282db43c6b46fd98b26effd97261c850af51b1df0f4e61bf3a00b9462dc3d4e1fdb75d7b
        EAP-EMSK = 0x426eec9a29886938dc247ab4098f4fae566df4fb20bc5047c2870770d0fccc21bb6c3f2dc33acd2d0056f2ec97c267e82f3a3446c01d8227c67fb64a67e8e5c1
        EAP-Session-Id = 0x153fe0ac6906daae7dfcfbea9030243efb9126430de84250e7e7391ba8cbe32cb55e7d200ec6500135a913fcbf8724d41898bc807ec5e562a332e33f9d22d2ffe2
        EAP-Message = 0x03cf0004
        Message-Authenticator = 0x00000000000000000000000000000000
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Tunnel-Type:0 += VLAN
        Tunnel-Medium-Type:0 += IEEE-802
        Tunnel-Private-Group-Id:0 += "230"

2020-03-26 17:41:33 : Invoked with arguments -m 3859f9815c98 -o SC_Quarantine_Test -n SC_Compliant_Role 10.100.10.235
2020-03-26 17:41:33 : Found username dshields for MAC address 3859f9815c98
2020-03-26 17:41:33 : Found NAS-Port 0 for MAC address 3859f9815c98
2020-03-26 17:41:33 : Found NAS-Identifier 7483c28d26de for MAC address 3859f9815c98
2020-03-26 17:41:33 : Sending disconnect for attributes (User-Name=dshields,NAS-Identifier=7483c28d26de) to NAS 10.100.10.235
Sending Disconnect-Request of id 12 to 10.100.10.235 port 3799
        User-Name = "dshields"
        NAS-Identifier = "7483c28d26de"
rad_recv: Disconnect-ACK packet from host 10.100.10.235 port 3799, id=12, length=44
        Event-Timestamp = "Mar 26 2020 17:41:33 EDT"
        Message-Authenticator = 0x42ee50c1a8807189871a5792614b744e
2020-03-26 17:41:33 : Received positive response from NAS, not broadcasting

Thu Mar 26 17:41:34 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        Framed-IP-Address = 10.103.230.59
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "444FB4C30AF34419"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x02c5008415001603030046100000424104153769a484653c1f2093edda9392641aabda6af34a119d1a6c6fb7b3908483bd635078cdf65ab6629a452e1e9adac37c46c8e96a7596e54072b050e28b01a9d4140303000101160303002877fd6678495b1ac3c62717ebb1f407ae262ac9d0c4a36247453c2c2c81ed52f028f8d588d4f44de3
        State = 0x09d04bb20e155e0e7c41d1e6191aa9e3
        Message-Authenticator = 0xfc9c3cb417286adfb2950bd89d539791
        NAS-IP-Address = 10.100.10.235

Thu Mar 26 17:41:34 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        Framed-IP-Address = 10.103.230.59
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "444FB4C30AF34419"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x02c6004b1500170303004077fd6678495b1ac46f5c33d6303c5d14d44d2e881e1437b0a35358027c4ce3ad21f4affcce51435a217a3f54fbdb85d9be0c7470f92af2f7673e2e3847c4877a
        State = 0x09d04bb201165e0e7c41d1e6191aa9e3
        Message-Authenticator = 0x6e408a2a340d2e5be900e5cb1d2ffb74
        NAS-IP-Address = 10.100.10.235

Thu Mar 26 17:41:34 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:41:34 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)

Thu Mar 26 17:41:34 2020
        Packet-Type = Access-Accept
        User-Name = "dshields"
        MS-MPPE-Recv-Key = 0xe232cdbc1a00f95526ed2532a3c9c1d65396b909739657fb8e46ac4799cba2e6
        MS-MPPE-Send-Key = 0xd2e5933872a78ba342fc585e0e6fbc087d66025a2022c819f32e707733160f16
        EAP-MSK = 0xe232cdbc1a00f95526ed2532a3c9c1d65396b909739657fb8e46ac4799cba2e6d2e5933872a78ba342fc585e0e6fbc087d66025a2022c819f32e707733160f16
        EAP-EMSK = 0xcbe3e40deac3c06c4e7d6febf4a6cfa7c8f3bf033e672b10af0c03e487902b8827c35f8360dbdf3305c5a97b7ee06846dfd39c158c65c6bbfd6b8ddbe04dae9d
        EAP-Session-Id = 0x1555a4ff8a3b1d9d76dfb951027687e8028d47e29a901abee009cd12efe78bbc535e7d218e790c0e97e716b776537cc2628b3a24a40bf4a1adde41bdfa89af99ff
        EAP-Message = 0x03c60004
        Message-Authenticator = 0x00000000000000000000000000000000
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Tunnel-Type:0 += VLAN
        Tunnel-Medium-Type:0 += IEEE-802
        Tunnel-Private-Group-Id:0 += "230"

2020-03-26 17:42:46 : Invoked with arguments -m 3859f9815c98 -o SC_Compliant_Role -n SC_Quarantine_Test 10.100.10.235
2020-03-26 17:42:46 : Found username dshields for MAC address 3859f9815c98
2020-03-26 17:42:46 : Found NAS-Port 0 for MAC address 3859f9815c98
2020-03-26 17:42:46 : Found NAS-Identifier 7483c28d26de for MAC address 3859f9815c98
2020-03-26 17:42:46 : Sending disconnect for attributes (User-Name=dshields,NAS-Identifier=7483c28d26de) to NAS 10.100.10.235
Sending Disconnect-Request of id 29 to 10.100.10.235 port 3799
        User-Name = "dshields"
        NAS-Identifier = "7483c28d26de"
rad_recv: Disconnect-ACK packet from host 10.100.10.235 port 3799, id=29, length=44
        Event-Timestamp = "Mar 26 2020 17:42:46 EDT"
        Message-Authenticator = 0x4a1557e3d226e742b9fa4e3689e7bb37
2020-03-26 17:42:46 : Received positive response from NAS, not broadcasting

Thu Mar 26 17:42:47 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        Framed-IP-Address = 10.103.230.59
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "444FB4C30AF34419"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x02e70084150016030300461000004241042d85e9896668b1170da43af04080eb7a7904551fe3414a8aa62656fdd26505565a1023f888f8bf06078625defb7f111ab7d25b8e43caaafe7b413ebf731c0c051403030001011603030028055fb765a2d9801f397e3aaf619ef75ac5822d7660b421c36deb0a7518868f9d7e51d21a24548e6f
        State = 0x8014591c87f34c8ed2b79bc3dbd2507f
        Message-Authenticator = 0xf6bc563c725a4d3495f2ba0a1fe75a09
        NAS-IP-Address = 10.100.10.235

Thu Mar 26 17:42:47 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        Framed-IP-Address = 10.103.230.59
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "444FB4C30AF34419"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x02e8004b15001703030040055fb765a2d9802034d3e6472efeb26f135c5f6e7b2484d1f46be30f185eb739b0eb4d0e646bc7adc1cd8cf742f37e7f8741f0428bc5adf976040e075ef3a5d3
        State = 0x8014591c88fc4c8ed2b79bc3dbd2507f
        Message-Authenticator = 0x73ec5f2e203e4aab48ae726257babddb
        NAS-IP-Address = 10.100.10.235

Thu Mar 26 17:42:47 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:42:47 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)

Thu Mar 26 17:42:47 2020
        Packet-Type = Access-Accept
        User-Name = "dshields"
        MS-MPPE-Recv-Key = 0xac1fbcd292f1bcc8515114d713f59da3b2712fb4a598f9f094d8cf5a7a556ebf
        MS-MPPE-Send-Key = 0x935a07684b32768b4bad05621fd1fa1dcd82570022d4d8fda870579e06c5d065
        EAP-MSK = 0xac1fbcd292f1bcc8515114d713f59da3b2712fb4a598f9f094d8cf5a7a556ebf935a07684b32768b4bad05621fd1fa1dcd82570022d4d8fda870579e06c5d065
        EAP-EMSK = 0xc0643be41db0849a106918ae56354e40e424c659a7c2f5ebe0157832bfb272594fdefddb6dda1aaff1f29edc595d00f901c8ab6b849456dbc68e96957a57ae26
        EAP-Session-Id = 0x1597eb8e0898b4751da8503c357587886eaa091a382ccd1ae649b062fbb81b0b785e7d21d7ffefedd9408b481375261044ec31eb149a9f98e006468d14bc88d20f
        EAP-Message = 0x03e80004
        Message-Authenticator = 0x00000000000000000000000000000000
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Tunnel-Type:0 += VLAN
        Tunnel-Medium-Type:0 += IEEE-802
        Tunnel-Private-Group-Id:0 += "240"

When the wireless connection to the AP is terminated and restarted, only then does the client send a DHCPDISCOVER and an IP in the new VLAN is received.

Mar 26 21:44:38 ubuntu NetworkManager[1127]: <info> [1585259078.1590] dhcp4 (wlp2s0b1): canceled DHCP transaction, DHCP client pid 4658
Mar 26 21:44:38 ubuntu NetworkManager[1127]: <info> [1585259078.1591] dhcp4 (wlp2s0b1): state changed bound -> done

Thu Mar 26 17:44:45 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "9B629866B005DFC7"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x02d000841500160303004610000042410448f40a18b53ddf787816bbd783e199a54d716e3800ddcbf0bd9d35b6abc2cf14608f0845dc033a8fb09a161992df5f978f0b5329eb7869b1c01eea2ab04c2571140303000101160303002878bdec75227aef1505736356cce293bd2be45777e9a1598fe413e9cdb8747cc116a8ab7a1d363d2b
        State = 0xde704f4ad9a05a59dccd42aba3b9b626
        Message-Authenticator = 0x2a75d8b39eb01bcf913cd5ba15e93d75
        NAS-IP-Address = 10.100.10.235

Thu Mar 26 17:44:45 2020
        Packet-Type = Access-Request
        User-Name = "dshields"
        NAS-Identifier = "7483c28d26de"
        Called-Station-Id = "74-83-C2-8D-26-DE:DF-Ubiquiti-Test"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "9B629866B005DFC7"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-MTU = 1400
        EAP-Message = 0x02d1004b1500170303004078bdec75227aef160b426145747b0baa4723fec8c95e6e8f7f358f7af094a12515c95679de9001e7644c20ce06f65aa437dc52a6c935e149f59f74acc23e85cb
        State = 0xde704f4ad6a15a59dccd42aba3b9b626
        Message-Authenticator = 0xe2c154a19ed864c67c6a87d98a8a5b83
        NAS-IP-Address = 10.100.10.235

Thu Mar 26 17:44:45 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 via TLS tunnel)
Thu Mar 26 17:44:45 2020 : Auth: Login OK: [dshields] (from client OPSWAT-AP-AC-PRO port 0 cli 38-59-F9-81-5C-98)

Thu Mar 26 17:44:45 2020
        Packet-Type = Access-Accept
        User-Name = "dshields"
        MS-MPPE-Recv-Key = 0x805c3ac354b417d4afe8460122ccadd8b0a12c7c7f9e3a4f2a48f1c164305f9f
        MS-MPPE-Send-Key = 0x2fa894f2c73cc0adb7dd9a206555095428ff29441ad6b1554b56c796ebfeae71
        EAP-MSK = 0x805c3ac354b417d4afe8460122ccadd8b0a12c7c7f9e3a4f2a48f1c164305f9f2fa894f2c73cc0adb7dd9a206555095428ff29441ad6b1554b56c796ebfeae71
        EAP-EMSK = 0x3e1b10ae20fe9a4327415558071ece62bb3b283687f3f2a9c00cf9a97a4d46cc729b1278d5b97f7e2846f624aeb5ab749d2fa9fe219576554b1449cb3b64ad31
        EAP-Session-Id = 0x155a0d7198b91e71652901bd220de29a5e5ed27fd65fdb28febc7b3bef58d8614c5e7d224d4c76d85e188fda5429b2209806e51761b484ebb83f09a2de52a5a5dd
        EAP-Message = 0x03d10004
        Message-Authenticator = 0x00000000000000000000000000000000
        Calling-Station-Id = "38-59-F9-81-5C-98"
        Tunnel-Type:0 += VLAN
        Tunnel-Medium-Type:0 += IEEE-802
        Tunnel-Private-Group-Id:0 += "240"

Mar 26 21:44:45 ubuntu NetworkManager[1127]: <info> [1585259085.5670] dhcp4 (wlp2s0b1): activation: beginning transaction (timeout in 45 seconds)
Mar 26 21:44:45 ubuntu NetworkManager[1127]: <info> [1585259085.5743] dhcp4 (wlp2s0b1): dhclient started with pid 5188
Mar 26 21:44:45 ubuntu dhclient[5188]: DHCPREQUEST for 10.103.230.59 on wlp2s0b1 to 255.255.255.255 port 67 (xid=0x77e7dffd)
Mar 26 21:44:45 ubuntu dhclient[5188]: DHCPNAK from 10.103.240.1 (xid=0xfddfe777)
Mar 26 21:44:45 ubuntu NetworkManager[1127]: <info> [1585259085.6370] dhcp4 (wlp2s0b1): state changed unknown -> expire
Mar 26 21:44:45 ubuntu NetworkManager[1127]: <info> [1585259085.6476] dhcp4 (wlp2s0b1): state changed expire -> unknown
Mar 26 21:44:45 ubuntu dhclient[5188]: DHCPDISCOVER on wlp2s0b1 to 255.255.255.255 port 67 interval 3 (xid=0xa64d391d)
Mar 26 21:44:46 ubuntu dhclient[5188]: DHCPOFFER of 10.103.240.56 from 10.103.240.1
Mar 26 21:44:46 ubuntu dhclient[5188]: DHCPREQUEST for 10.103.240.56 on wlp2s0b1 to 255.255.255.255 port 67 (xid=0x1d394da6)
Mar 26 21:44:46 ubuntu dhclient[5188]: DHCPACK of 10.103.240.56 from 10.103.240.1 (xid=0xa64d391d)
Mar 26 21:44:46 ubuntu NetworkManager[1127]: <info> [1585259086.4782] dhcp4 (wlp2s0b1): address 10.103.240.56
Mar 26 21:44:46 ubuntu NetworkManager[1127]: <info> [1585259086.4782] dhcp4 (wlp2s0b1): plen 24 (255.255.255.0)
Mar 26 21:44:46 ubuntu NetworkManager[1127]: <info> [1585259086.4782] dhcp4 (wlp2s0b1): gateway 10.103.240.1
Mar 26 21:44:46 ubuntu NetworkManager[1127]: <info> [1585259086.4783] dhcp4 (wlp2s0b1): lease time 43200
Mar 26 21:44:46 ubuntu NetworkManager[1127]: <info> [1585259086.4783] dhcp4 (wlp2s0b1): nameserver '10.101.3.3'
Mar 26 21:44:46 ubuntu NetworkManager[1127]: <info> [1585259086.4783] dhcp4 (wlp2s0b1): nameserver '8.8.8.8'
Mar 26 21:44:46 ubuntu NetworkManager[1127]: <info> [1585259086.4783] dhcp4 (wlp2s0b1): state changed unknown -> bound
ubuntu@ubuntu:/var/log$

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
2020-03-27
Last reply:
2020-04-03
asylum (grungelizard9) said : #1

I have also tested this on Ruckus wireless with the same results, Widows 10 and Android devices renew the IP on COA-disconnect, but Linux devices do not. Thanks.

I suggest you report q bug

asylum (grungelizard9) said : #3

Thanks ationparsnip. I've created https://bugs.launchpad.net/ubuntu/+bug/1870560 for this.

Can you help with this problem?

Provide an answer of your own, or ask asylum for more information if necessary.

To post a message you must log in.