Technical Tip: Automatic Network Transition Failing with Aruba IAPs (COA/Disconnect NAK) error code = 0.0.1.f7

FortiKoala · ‎09-28-2018

Description

The article describes issues related to cases where FortiNAC sends a COA Disconnect request but the Network device returns a Disconnect NAK due to being unable to process the Session Disconnect Attributes needed to perform the action. Either the attribute is not supported by the Network Device or a specific attribute might be missing.

Scope

FortiNAC

Aruba IAPs

Solution

1. Wireless clients connecting to Aruba IAP's do not automatically move between networks (such as after successfully registering and needing to be moved to production).

FortiNAC attempts to disconnect the client in order to change networks, but the IAP does not accept the disconnect request. This behavior prevents the change from completing.

output.master log file in FNAC shows messages similar to the following:

ClearSessThread2 Disconnect request to 10.100.97.254 for 44:85:00:CE:3B:73 failed, error code = 0.0.1.f7.
Acting on station 44:85:00:CE:3B:73 on device 10.100.97.254 Vendor: ArubaIAP Prot: RADIUS Status = FAILURE

Disabling/re-enabling Wifi on the client or disassociating the client from the IAP and reconnecting allows the network change.

In later versions of Aruba code, the IAP no longer accepts certain attributes (NAS-IP and Acct-Session-ID) that Network Sentry includes in the disconnect request.

Workaround: Contact Support to implement a fix. The fix removes those attributes from the disconnect request. Reference Solution: Network Sentry Unable to Disconnect Aruba IAP Hosts.

2. Error code = 0.0.1.f7 might also refer to a specific attribute missing when FNAC sends a disconnect request.

In the example below, there is a HPE switch integrated with FortiNAC.

In order to perform a session disconnect it will require at least one of the following attributes in the appropriate format:

User-Name	1	User-Name provided in Access-Accept, or used in Authentication	-	`<user-name>`
Calling-Station-Id	1	Clients Mac-Address (hyphens must be used to delimit octets)	-	`<oct1>-<oct2>-<oct3>-<oct4>-<oct5>-<oct6>`

More information is provided here.

Collecting a PCAP makes it possible to see that FortiNAC is sending the attributes in following format.

RADIUS Protocol
Code: Disconnect-Request (40)
Packet identifier: 0x12 (18)
Length: 40
Authenticator: 4fa3384a337714985ab591dee0f661ee
[The response to this request is in frame 2]
Attribute Value Pairs
AVP: t=Calling-Station-Id(31) l=14 val=YYYYYYXXXXXX <- Wrong Format. This should be YY-YY-YY-XX-XX-XX as defined in switch Session-Identification attribute format.

The switch responds to FortiNAC as follows:

RADIUS Protocol
Code: Disconnect-NAK (42)
Packet identifier: 0x12 (18)
Length: 38
Authenticator: 92fb811c8841f61f8b65e57297c56144
[This is a response to a request in frame 1]
[Time from request: 0.016180000 seconds]
Attribute Value Pairs
AVP: t=Error-Cause(101) l=6 val=Session-Context-Not-Found(503)
AVP: t=Vendor-Specific(26) l=12 vnd=H3C(25506)

'Session Context Not Found' is a fatal error sent if the session context identified in the Request does not exist on the NAS.

In this case, the NAS(switch) does not recognize the format of Calling-Station-Id(31) l=14 val=YYYYYYXXXXXX

Workaround: Contact Support to implement a fix. Depending on device modeling and its match in radiusproperties, a delimiter option will be added with the one that the switch requires.

Technical Tip: Automatic Network Transition Failing with Aruba IAPs (COA/Disconnect NAK) error code = 0.0.1.f7

You are leaving our website