X460 reauth/CoA from Forescout

PhilDyer — Mon, 24 Jul 2023 16:23:30 GMT

Hi, does anyone have any experience with reauthentication commands issued from Forescout appliances?

I've confirmed that the Forescout appliances are sending the reauthenticate command with the relevant info to the switch, but the switch doesn't seem to be acknowledging this. Whether I use CoA or manually force a reauth.

On the switch side of things, dynamic authorization is enabled and reauthenticate is enabled for the port that my client is connected to.

Re: X460 reauth/CoA from Forescout

NikAll — Fri, 25 Apr 2025 06:24:36 GMT

Morning

did you get all this to work?

Re: X460 reauth/CoA from Forescout

Gabriel_G — Wed, 14 May 2025 13:48:37 GMT

Hi Phil,

I don't have a setup with Forescout, but the required AVPs should be the same regardless. This is documented in the 'Change-of-Authorization Mandatory Attributes' section of the user guide.

page 1159: https://documentation.extremenetworks.com/switchengine_32.7.1/downloads/SwitchEngine_User_Guide_32.7.1.pdf

Using FreeRadius, I initiate a CoA using a command similar to the following:

echo "Calling-Station-ID = 16-92-F9-E6-DB-7C, NAS-IP-Address = 2.2.2.1, Filter-Id = test" | radclient -x -r 1 2.2.2.1:3799 coa gns3

Where:

-Calling-Station-ID is the MAC address of the authenticated client who's auth session is being changed.

-NAS-IP-Address is the IP of the switch authenticating the client.

-Filter-ID is the new policy profile to assign to the client.

-Additionally, note that the RADIUS packet must be a 'CoA' packet with the correct shared-secret (gns3 in this case), udp port number (3799 by default), etc.

-Attributes like 'message authenticator' should also be present, but that usually happens automatically depending on your NAC solution.

On the switch side, the following is configured in my example setup:

-Basic mgmt IP that can ping the RADIUS server

-RADIUS netlogin and dynamic auth are enabled and configured with a shared secret.

-Netlogin is enabled on the relevant client port for either MAC or dot1x auth.

-Policy is also enabled with some basic profiles in my example setup

#
# Module aaa configuration.
#
configure radius netlogin 1 server 2.2.2.2 1812 client-ip 2.2.2.1 vr VR-Default
configure radius 1 shared-secret encrypted "#$n/IaHgb009BStaephqiOIOCblSE/vw=="
configure radius dynamic-authorization 1 server 2.2.2.2 client-ip 2.2.2.1 vr VR-Default shared-secret encrypted "#$RXGUNOJWRvMjnF+viXeJXUTtruqofA=="
enable radius netlogin
enable radius dynamic-authorization

EXOS-VM.2 # show conf netlogin
#
# Module netLogin configuration.
#
enable netlogin mac
enable netlogin ports 1,11 mac

EXOS-VM.3 # show conf policy
#
# Module policy configuration.
#
configure policy profile 1 name "AP" pvid-status "enable" pvid 4095 auth-override "enable"
configure policy profile 2 name "test" pvid-status "enable" pvid 4095
enable policy

I believe you can also use RFC3580 tunnel attributes instead of filter-IDs in the CoA response. You may need to set the maptable response to tunnel or both:
configure policy maptable response
both Apply both attributes
policy Apply the filter-id attribute
tunnel Apply the vlan-tunnel attribute

If you need a VLAN to be dynamically created, turn on VLANauthorization: conf policy vlanauthorization enable

Hope that helps!

topic Re: X460 reauth/CoA from Forescout in ExtremeSwitching (EXOS/Switch Engine)

X460 reauth/CoA from Forescout

Re: X460 reauth/CoA from Forescout

Re: X460 reauth/CoA from Forescout