Configuration details for sending CoA/Disconnect messages, which are required to use aspects of Tiered Bandwidth.
Aruba Instant (IAP)
In order for CoA / Disconnect to be enabled, you need to activate the Dynamic RADIUS Proxy feature. This effectively proxies all RADIUS traffic through your current master IAP (virtual controller), rather than being sent by each individual AP.
When Dynamic RADIUS proxy is enabled, ensure that a static Virtual Controller IP is configured.
For Aruba Central:
-
Select ‘Wireless Management -> System’
-
Enable ‘Dynamic RADIUS Proxy’
-
Select ‘Save Settings’
For Locally-Managed IAP:
-
Select ‘System’
-
Set a static ‘Virtual Controller IP’
-
Enable ‘Dynamic RADIUS Proxy’
-
Select ‘OK’ to save settings
Firewall Configuration
CoA works by accepting inbound traffic from our RADIUS. We will send this request back to the same WAN IP of which your master IAP (virtual controller) uses for outbound traffic to our RADIUS. Therefore, you will need to forward port 3799 (UDP) on your firewall from this WAN IP to the virtual controller IP on your local network.
Aruba Central (Controller-based)
RADIUS Configuration
-
Select ‘Configuration -> Authentication -> Auth Servers’
-
Under ‘All Servers’, select ‘Add’ and set the IP address to the IP address of RADIUS Server 1 as configured in the controller
-
Repeat this process and add the IP address of RADIUS Server 2
-
Select ‘Submit’ and then edit both of the servers you just created to paste the RADIUS secret
-
Select ‘Submit’
-
Select ‘RFC 3576 Server’
-
Add both of the servers created above
-
Select ‘Submit’
-
Select ‘Apply Pending Changes’
Firewall Configuration
CoA works by accepting inbound traffic from our RADIUS. We will send this request back to the same WAN IP of which your Aruba controller uses for outbound traffic to our RADIUS. Therefore, you will need to forward port 3799 (UDP) on your firewall from this WAN IP to the internal Aruba controller management IP on your local network.
Cisco WLC
RADIUS Configuration
-
Select ‘Security’
-
Select ‘AAA -> RADIUS Authentication’
-
For both RADIUS servers, enable ‘Support for CoA’
-
Select ‘Apply’
-
Select ‘Save Configuration’
Firewall Configuration
CoA works by accepting inbound traffic from our RADIUS. We will send this request back to the same WAN IP of which your WLC uses for outbound traffic to our RADIUS. Therefore, you will need to forward port 3799 (UDP) on your firewall from this WAN IP to the internal Cisco WLC management IP on your local network.
Extreme Itentifi
RADIUS Configuration
-
Select ‘VNS’
-
Select ‘DAS’
-
Set the value for ‘Port’ to 3799
-
Select ‘Save’
Firewall Configuration
CoA works by accepting inbound traffic from our RADIUS. We will send this request back to the same WAN IP of which your Extreme IdenFi controller uses for outbound traffic to our RADIUS. Therefore, you will need to forward port 3799 (UDP) on your firewall from this WAN IP to the internal Extreme IdenFi controller management IP on your local network.
Extreme (RFS WiNG)
RADIUS Configuration
-
Select ‘Configuration -> Wireless -> Wireless LANs’
-
Select ‘Advanced’
-
Enable ‘RADIUS Dynamic Authorization’
-
Select ‘OK’
-
Select ‘Configuration -> Profiles’ and edit your controller profile
-
Under ‘Advanced’, set ‘Additional Port’ to 3799
-
Select ‘OK’
-
Select ‘Save Changes’
Firewall Configuration
CoA works by accepting inbound traffic from our RADIUS. We will send this request back to the same WAN IP of which your Extreme RFS controller uses for outbound traffic to our RADIUS. Therefore, you will need to forward port 3799 (UDP) on your firewall from this WAN IP to the internal Extreme RFS controller management IP on your local network.
MikroTik Routerboard
RADIUS Configuration
-
Select ‘RADIUS’
-
Select ‘Incoming’
-
Enable ‘Accept’
-
Set ‘Port’ to 3799
-
Select ‘OK’
Firewall Configuration
CoA works by accepting inbound traffic from our RADIUS servers. Please create a rule directly on your Mikrotik under IP > Firewall > Filter Rules. If your Mikrotik is using an external public facing WAN IP, no further action is required. However, if your Mikrotik is behind another router, you will also need to forward port 3799 (UDP) to the internal Mikrotik IP on your local network.
Ruckus (SmartZone Managed)
RADIUS Configuration
There is no additional configuration required for CoA to work on the Ruckus SmartZone, as this is supported by default.
Firewall Configuration
CoA works by accepting inbound traffic from our RADIUS. We will send this request back to the same WAN IP of which your SZ uses for outbound traffic to our RADIUS. Therefore, you will need to forward port 3799 (UDP) on your firewall from this WAN IP to the internal SZ management IP on your local network.
Ruckus (ZoneDirector Managed)
RADIUS Configuration
There is no additional configuration required for CoA to work on the Ruckus SmartZone, as this is supported by default.
Firewall Configuration
CoA works by accepting inbound traffic from our RADIUS. We will send this request back to the same WAN IP of which your ZD uses for outbound traffic to our RADIUS. Therefore, you will need to forward port 3799 (UDP) on your firewall from this WAN IP to the internal ZD management IP on your local network.
Ubiquiti UniFi
RADIUS Configuration
-
Select ‘Settings -> Guest Control’
-
Set ‘Disconnect Requests’ to ‘Accept incoming disconnect requests’
-
Set ‘Receiver Port’ to 3799
-
Select ‘Apply Changes’
Firewall Configuration
CoA works by accepting inbound traffic from our RADIUS. We will send this request back to the same WAN IP of which your UniFi controller uses for outbound traffic to our RADIUS. Therefore, you will need to forward port 3799 (UDP) on your firewall from this WAN IP to the UniFi controller IP on your local network.