- AP is hAP ac2 and wAP ,ac radius client is set, incoming for port 3799 is set.
- wireless with WLAN driver. Enterprise security (PEAP) works excellent well.
- RADIUS is User Manager in ROS 7.12

RADIUS for EAP wireless login and accounting to the User Manager on hAP ax3.
Sometimes the connection between radius client and User Manager seems to have been disturbed.
User MAnager claims NAS rebooted, from then on, for all sessions that are still there and do send intermediate accounting to User Manager
User manager in multiple attempts tries to disconnect that wireless connection, but the hAP just refuses to do it.

Workaround found so far, is to (re-)enable "EAP accounting" in the security profile , what stops all open associations with the RADIUS server .
I used to disable and then enable "EAP-accounting" but by mistake only had put the enable in the script, and that worked also.
Nr 2 in the lazy script is the actual PEAP security profile

.
Workaround: run this script
Warning: disconnects all those sessions, and even triggers selecting channel with radar detect (if a DFS channel).

I did never set a "Framed-IP-address", as after the association, another DHCP server, depending on VLAN and subnet is leasing an IP address of that subnet.

So is it framed-ip-address missing in the CoA request? https://github.com/lirantal/daloradius/ ... 8171a354b4

Users associate and roam between 30 AP's with the same user name on the one and only RADIUS server. For performance reasons the AP's distributed SSID/subnets are grouped in 3 separate IP subnets.

AHA it's not the Framed-IP-Adress. This seems to be there in RADIUS and is correct
. .
Still this is only happening, and even frequently this evening on just hAP14 (one of the 21 hAP ac2 with the same configuration, and in the same campus network)
.
Getting closer to the root cause? "too strong signal" .... never seen before
. .
Eventually leading to something with error-cause=406 , only on that spot? I don't see the relation with the disconnect request, unless the "too strong signa"l broke the PEAP sequence.
The request came from UM indeed.
.
Have been fighting the placement of devices just next to the hAP ac2's this summer. Actually the travel router/hotspot/repeaters are the worst things to have on the same table as the hAP ac2

viewtopic.php?t=210600#p1095014

Well it is not the root-cause of the CoA problem, but at least a potential trigger for it.

Error cause 406 .=. "unsupported extension" See: viewtopic.php?t=163472

Not supported ... must use "Unsolicited messages" ... but then why is MT User Manager not doing that? https://help.mikrotik.com/docs/display/ROS/RADIUS
Where to find these "Disconnect messages" ?