Has anyone here successfully made COA requests to their Unifi AP’s? I am trying to manually stop my session from Winbox, I’ve noticed in Wireshark that User-Manager will send multiple Disconnect-Requests but the NAS doesn’t even respond with a ACK or NAK. I researched the documentation for Unifi and it states that the NAS-Identifer is required but when I look at the attributes that are sent with the Disconnect Request it doesn’t seem to be one that is sent.
Maybe it’s something else? Has anyone gotten it to work?
Just wanted to double check this before I report it
This is a known issue, and I’ve filled a support request (SUP-163983) last year about it:
Unfortunately, MikroTik has refused to make the change and closed the ticket, this was their answer:
I’ve since made a new attempt and suggested an alternative feature, SUP-178502 - UserManager: Allow custom attributes that will be included in CoA messages
This one currently looks more promising, because MikroTik has not yet rejected it, but has answered: "We will see what we can do about it.". So, finger crossed.
I’ve quickly read through https://www.rfc-editor.org/rfc/rfc5176#section-3
“ In CoA-Request and Disconnect-Request packets, all attributes MUST be treated as mandatory.”
and it appears that not only is it a standard attribute but it’s also one of the ways to identify the NAS during a disconnect. So it’s not vendor priority and appears to be “standard”. Unless I’m misinterpreting it.
I have submitted my ticket (SUP-184050) so hopefully we can get some eyes on this and have it added.
Yes, and I also mentioned above in the screenshot that NAS-Identifier is one of the standard attributes. But MikroTik reasoning was that User-Manager supports CoA with MikroTik devices and that was enough. To be fair, not all AP manufacturers require NAS-Identifier to be sent with CoA messages (UM CoA works with Aruba devices). Logically, only one of the 3 listed attributes are really needed (certainly, NAS-IPv6-Address cannot be mandatory).
I understand why MikroTik refused to make the change, because it would be a non-trivial change, they’ll need to start remembering more data from the Authentication messages, add new field(s) to the SQLite DB to remember the additional data in the Sessions, etc…
That’s why I tried to make the new suggestion in SUP-178502, because it requires no database schema change (there are already DB supports for defining custom attributes and associating them with User-Groups & Users). MikroTik would only need to support an additional bit in the packet type flag of the attribute definition (beside the two bits for access request and access challenge):
On the UniFi site, we can customize NAS-Identifier per SSID to any custom string already, which means RouterOS doesn’t need to retrieve and remember the value of the NAS-Identifier attribute from the Authorization requests, and we can set the value directly in the attribute assignment to User-Groups/Users
Just coming back to update this, I think it’s finally happening @CGGXANNX
In ROS 7.22 Beta6
user-manager - added support for NAS-Identifier attribute;
1 Like