Documentation on sending an RFC 3576 RADIUS disconnect message to a Cisco Wireless LAN Controller seems sparse at best. However, it does work (at least on v7 software) and is quite easy to do.

Remember to open up port 3799 from the RADIUS servers on the CPU ACL first. The CoA packet needs a shared RADIUS secret, so will need to be sent from a registered RADIUS server. Oddly enough, the CPU ACL will automatically be opened up for the standard RADIUS UDP ports (likely 1812, 1813), but not for port 3799.

Create a text file in one of the following formats:

User-Name = 'user@realm'
Service-Type = Login-User


Calling-Station-Id = '00:11:22:33:44:55'
Service-Type = Login-User

Then feed this into radclient, like so:

radclient disconnect secret < file

where is the IP address of the WLC, secret is the RADIUS shared secret, and file is the file created above (this can also be just given to radclient’s stdin in some other way, rather than using a file, of course).

Hopefully you should get back a “Received response” message, and the client should be disconnected. Using the -x option to radclient will print out more debugging information including the packet contents.

Remember that most clients that are disconnected will immediately reconnect, so the RADIUS server will need to be set up first to block access or redirect them into a quarantine VLAN, for example.

Now for CoA packets… there seems to be no documention whatsoever for these!

Leave a Reply

Your email address will not be published. Required fields are marked *