Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

COA messages troubleshooting

Alexs20
Getting noticed
‎Oct 24 2023 10:54 AM
‎Oct 24 2023 10:54 AM

COA messages troubleshooting

Hi everybody

 

I have a question about CoA messages.

I am following this document:

 

https://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/15-e/san-coa-supp.html

 

And my question is about how can I troubleshoot the reason for not answering to CoA messages?

 

For example, when I am targeting session that does not exist already, instead of return NAK the access point just keep silence, and on my side i have zero knowledge about what went wrong, it because of time drift? or maybe network problem? or i am sending bad message.

The Log/Events section in Meraki Cloud is also keep full silence about what is going on and why AP is not answering.

 

How can I troubleshoot such cases and force the AP to respond? Is it possible to just send a test Coa to AP just to make sure that at least no problems in the network? Any PONG-PONG coa message? Anything?

 

Thanks.

Labels:
0 Kudos
Subscribe
10 Replies 10
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 24 2023 10:57 AM
‎Oct 24 2023 10:57 AM

Are you sure that the CoA is reaching your APs ? Can you see it with a LAN packet capture ?

 

 

0 Kudos
Subscribe
In response to RaphaelL
Alexs20
Getting noticed
‎Oct 24 2023 11:03 AM
‎Oct 24 2023 11:03 AM

Yes. When I am targeting a real session then I am getting the AK message back.

0 Kudos
Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 24 2023 11:00 AM
‎Oct 24 2023 11:00 AM

What exactly do you want to solve, can you give more details about your scenario? Authentication type for example.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Alexs20
Getting noticed
‎Oct 24 2023 11:07 AM
‎Oct 24 2023 11:07 AM

I am trying to find a way to test that my messages are reaching the AP without using any session for that.

Imagine I have a site with 100 APs installed. And I want to send "TEST" COA to all of them and see if I get response from all of them - just to make sure that there is no issues with passing UDP traffic from my service to all APs.

0 Kudos
Subscribe
In response to Alexs20
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 24 2023 11:10 AM
‎Oct 24 2023 11:10 AM

Maybe it can help a little.

 

https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Alexs20
Getting noticed
‎Oct 24 2023 12:00 PM
‎Oct 24 2023 12:00 PM

Yeah, I know how CoA and Disconnects work. And from my experience there is a way to implement what I am trying to do. The proper way to do that is to send CoA with either Calling-Station-Id or Acct-Session-Id set mac address that does not exist, like 00:00:00:00:00:00 or FF:FF:FF:FF:FF:FF, and in that case, if the remote device implemented the CoA protocol correctly, the device will respond with NAK and message saying that Session context not found...

But looks like Meraki is again trying to invent their own rules and instead of just sending the NAK ignoring the request

 

0 Kudos
Subscribe
In response to Alexs20
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 24 2023 12:03 PM
‎Oct 24 2023 12:03 PM

Is it referenced in the RFC ? If so , open a case. Else , that might be "expected"

0 Kudos
Subscribe
In response to Alexs20
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 24 2023 12:15 PM
‎Oct 24 2023 12:15 PM

It seems like you always have an answer ready, well in your case I suggest opening a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Alexs20
Getting noticed
‎Oct 24 2023 12:37 PM
‎Oct 24 2023 12:37 PM

yeah, I am a getting all that a bit emotionally because this is not the first "anomaly" that i see, and because of the time limits that i have to finish the integration i cannot play with support cases and wait for fixes and make another try, i need the solution asap, and every time i change the direction and trying to go around the problem i am hitting another wall.

 

--EDIT--

I am also sure for 99.999% that any my request to support will end up with response that this is how it is designed to be, already tried with several cases, so just a wasting of time, if it doesn't work as expected, then ok, it doesn't work... 😕

0 Kudos
Subscribe
rhbirkelund
Kind of a big deal
‎Oct 25 2023 2:05 AM
‎Oct 25 2023 2:05 AM

If you enable RADIUS testing on the SSID, the APs will regularly be sending an Access-Request with "meraki_802.1x_test" identity. A test is considered succesful if the AP gets any response (Challenge, Accept/Reject). If no response is provided for the Access-Request, a failure is considered, and the Dashboard will raise an Alert. This is all described per documentation; https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Alert_-_Recent_802.1X...

 

But, as I understand, rather than relying on Meraki RADIUS testing form AP to RADIUS server, you'd rather like to send a CoA to the AP instead, inorder to test connectivity? I'm not familiar with the RFC, so I'll take your word that if a CoA is sent, the AP ought to respond with a NAK whether or not the CoA is valid or not, and use this to monitor connectivity to the APs?

 

What type of encryption is your SSID using?

Also, according to the CoA documentation (https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIU... it's recommended to enable Cisco ISE, regardless if you're using ISE or not, for CoA.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.