COA messages troubleshooting

Alexs20
Getting noticed

COA messages troubleshooting

Hi everybody

 

I have a question about CoA messages.

I am following this document:

 

https://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/15-e/san-coa-supp.html

 

And my question is about how can I troubleshoot the reason for not answering to CoA messages?

 

For example, when I am targeting session that does not exist already, instead of return NAK the access point just keep silence, and on my side i have zero knowledge about what went wrong, it because of time drift? or maybe network problem? or i am sending bad message.

The Log/Events section in Meraki Cloud is also keep full silence about what is going on and why AP is not answering.

 

How can I troubleshoot such cases and force the AP to respond? Is it possible to just send a test Coa to AP just to make sure that at least no problems in the network? Any PONG-PONG coa message? Anything?

 

Thanks.

10 Replies 10
RaphaelL
Kind of a big deal
Kind of a big deal

Are you sure that the CoA is reaching your APs ? Can you see it with a LAN packet capture ?

 

 

Alexs20
Getting noticed

Yes. When I am targeting a real session then I am getting the AK message back.

alemabrahao
Kind of a big deal
Kind of a big deal

What exactly do you want to solve, can you give more details about your scenario? Authentication type for example.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Alexs20
Getting noticed

I am trying to find a way to test that my messages are reaching the AP without using any session for that.

Imagine I have a site with 100 APs installed. And I want to send "TEST" COA to all of them and see if I get response from all of them - just to make sure that there is no issues with passing UDP traffic from my service to all APs.

alemabrahao
Kind of a big deal
Kind of a big deal

Maybe it can help a little.

 

https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Alexs20
Getting noticed

Yeah, I know how CoA and Disconnects work. And from my experience there is a way to implement what I am trying to do. The proper way to do that is to send CoA with either Calling-Station-Id or Acct-Session-Id set mac address that does not exist, like 00:00:00:00:00:00 or FF:FF:FF:FF:FF:FF, and in that case, if the remote device implemented the CoA protocol correctly, the device will respond with NAK and message saying that Session context not found...

But looks like Meraki is again trying to invent their own rules and instead of just sending the NAK ignoring the request

 

RaphaelL
Kind of a big deal
Kind of a big deal

Is it referenced in the RFC ? If so , open a case. Else , that might be "expected"

alemabrahao
Kind of a big deal
Kind of a big deal

It seems like you always have an answer ready, well in your case I suggest opening a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Alexs20
Getting noticed

yeah, I am a getting all that a bit emotionally because this is not the first "anomaly" that i see, and because of the time limits that i have to finish the integration i cannot play with support cases and wait for fixes and make another try, i need the solution asap, and every time i change the direction and trying to go around the problem i am hitting another wall.

 

--EDIT--

I am also sure for 99.999% that any my request to support will end up with response that this is how it is designed to be, already tried with several cases, so just a wasting of time, if it doesn't work as expected, then ok, it doesn't work... 😕

rhbirkelund
Kind of a big deal
Kind of a big deal

If you enable RADIUS testing on the SSID, the APs will regularly be sending an Access-Request with "meraki_802.1x_test" identity. A test is considered succesful if the AP gets any response (Challenge, Accept/Reject). If no response is provided for the Access-Request, a failure is considered, and the Dashboard will raise an Alert. This is all described per documentation; https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Alert_-_Recent_802.1X...

 

But, as I understand, rather than relying on Meraki RADIUS testing form AP to RADIUS server, you'd rather like to send a CoA to the AP instead, inorder to test connectivity? I'm not familiar with the RFC, so I'll take your word that if a CoA is sent, the AP ought to respond with a NAK whether or not the CoA is valid or not, and use this to monitor connectivity to the APs?

 

What type of encryption is your SSID using?

Also, according to the CoA documentation (https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIU... it's recommended to enable Cisco ISE, regardless if you're using ISE or not, for CoA.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels