This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- X460 reauth/CoA from Forescout
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
X460 reauth/CoA from Forescout
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-24-2023 09:23 AM
Hi, does anyone have any experience with reauthentication commands issued from Forescout appliances?
I've confirmed that the Forescout appliances are sending the reauthenticate command with the relevant info to the switch, but the switch doesn't seem to be acknowledging this. Whether I use CoA or manually force a reauth.
On the switch side of things, dynamic authorization is enabled and reauthenticate is enabled for the port that my client is connected to.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-14-2025 06:46 AM - edited 05-14-2025 06:48 AM
Hi Phil,
I don't have a setup with Forescout, but the required AVPs should be the same regardless. This is documented in the 'Change-of-Authorization Mandatory Attributes' section of the user guide.
page 1159: https://documentation.extremenetworks.com/switchengine_32.7.1/downloads/SwitchEngine_User_Guide_32.7...
Using FreeRadius, I initiate a CoA using a command similar to the following:
echo "Calling-Station-ID = 16-92-F9-E6-DB-7C, NAS-IP-Address = 2.2.2.1, Filter-Id = test" | radclient -x -r 1 2.2.2.1:3799 coa gns3
Where:
-Calling-Station-ID is the MAC address of the authenticated client who's auth session is being changed.
-NAS-IP-Address is the IP of the switch authenticating the client.
-Filter-ID is the new policy profile to assign to the client.
-Additionally, note that the RADIUS packet must be a 'CoA' packet with the correct shared-secret (gns3 in this case), udp port number (3799 by default), etc.
-Attributes like 'message authenticator' should also be present, but that usually happens automatically depending on your NAC solution.
On the switch side, the following is configured in my example setup:
-Basic mgmt IP that can ping the RADIUS server
-RADIUS netlogin and dynamic auth are enabled and configured with a shared secret.
-Netlogin is enabled on the relevant client port for either MAC or dot1x auth.
-Policy is also enabled with some basic profiles in my example setup
#
# Module aaa configuration.
#
configure radius netlogin 1 server 2.2.2.2 1812 client-ip 2.2.2.1 vr VR-Default
configure radius 1 shared-secret encrypted "#$n/IaHgb009BStaephqiOIOCblSE/vw=="
configure radius dynamic-authorization 1 server 2.2.2.2 client-ip 2.2.2.1 vr VR-Default shared-secret encrypted "#$RXGUNOJWRvMjnF+viXeJXUTtruqofA=="
enable radius netlogin
enable radius dynamic-authorization
EXOS-VM.2 # show conf netlogin
#
# Module netLogin configuration.
#
enable netlogin mac
enable netlogin ports 1,11 mac
EXOS-VM.3 # show conf policy
#
# Module policy configuration.
#
configure policy profile 1 name "AP" pvid-status "enable" pvid 4095 auth-override "enable"
configure policy profile 2 name "test" pvid-status "enable" pvid 4095
enable policy
I believe you can also use RFC3580 tunnel attributes instead of filter-IDs in the CoA response. You may need to set the maptable response to tunnel or both:
configure policy maptable response
both Apply both attributes
policy Apply the filter-id attribute
tunnel Apply the vlan-tunnel attribute
If you need a VLAN to be dynamically created, turn on VLANauthorization: conf policy vlanauthorization enable
Hope that helps!
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-14-2025 06:46 AM - edited 05-14-2025 06:48 AM
Hi Phil,
I don't have a setup with Forescout, but the required AVPs should be the same regardless. This is documented in the 'Change-of-Authorization Mandatory Attributes' section of the user guide.
page 1159: https://documentation.extremenetworks.com/switchengine_32.7.1/downloads/SwitchEngine_User_Guide_32.7...
Using FreeRadius, I initiate a CoA using a command similar to the following:
echo "Calling-Station-ID = 16-92-F9-E6-DB-7C, NAS-IP-Address = 2.2.2.1, Filter-Id = test" | radclient -x -r 1 2.2.2.1:3799 coa gns3
Where:
-Calling-Station-ID is the MAC address of the authenticated client who's auth session is being changed.
-NAS-IP-Address is the IP of the switch authenticating the client.
-Filter-ID is the new policy profile to assign to the client.
-Additionally, note that the RADIUS packet must be a 'CoA' packet with the correct shared-secret (gns3 in this case), udp port number (3799 by default), etc.
-Attributes like 'message authenticator' should also be present, but that usually happens automatically depending on your NAC solution.
On the switch side, the following is configured in my example setup:
-Basic mgmt IP that can ping the RADIUS server
-RADIUS netlogin and dynamic auth are enabled and configured with a shared secret.
-Netlogin is enabled on the relevant client port for either MAC or dot1x auth.
-Policy is also enabled with some basic profiles in my example setup
#
# Module aaa configuration.
#
configure radius netlogin 1 server 2.2.2.2 1812 client-ip 2.2.2.1 vr VR-Default
configure radius 1 shared-secret encrypted "#$n/IaHgb009BStaephqiOIOCblSE/vw=="
configure radius dynamic-authorization 1 server 2.2.2.2 client-ip 2.2.2.1 vr VR-Default shared-secret encrypted "#$RXGUNOJWRvMjnF+viXeJXUTtruqofA=="
enable radius netlogin
enable radius dynamic-authorization
EXOS-VM.2 # show conf netlogin
#
# Module netLogin configuration.
#
enable netlogin mac
enable netlogin ports 1,11 mac
EXOS-VM.3 # show conf policy
#
# Module policy configuration.
#
configure policy profile 1 name "AP" pvid-status "enable" pvid 4095 auth-override "enable"
configure policy profile 2 name "test" pvid-status "enable" pvid 4095
enable policy
I believe you can also use RFC3580 tunnel attributes instead of filter-IDs in the CoA response. You may need to set the maptable response to tunnel or both:
configure policy maptable response
both Apply both attributes
policy Apply the filter-id attribute
tunnel Apply the vlan-tunnel attribute
If you need a VLAN to be dynamically created, turn on VLANauthorization: conf policy vlanauthorization enable
Hope that helps!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-24-2025 11:24 PM
Morning
did you get all this to work?
