ArubaOS and Controllers

Reply
New Contributor
Posts: 4
Registered: ‎08-05-2011

Aruba 650 802.1x problem - connecting host switching between VLANs

Hi,
It's my first post on this forum and my first time with Aruba config so please forgive me for some errors.

I have lab with Aruba 650 controller (soft v.6.0.1.0) with Aruba AP-125, Cisco switch 3560 and Win 2008 Srv (with Radius installed). Controller is connected do switch with trunk link (allowed VLANs 40-44, native VLAN 40) on switch port 0/1. AP is connected to switch port 0/3 to access port (port in VLAN 40) and server is connected to switch do port 0/5 access port (port in VLAN 40).

Controller and AP are placed in VLAN 40 to communicate with each other. I have configured 802.1x (with radius server on Win2008). I have server group "LAN" with rule to add any logged user to role "LAN-logon2". This role puts logged users to VLAN 41 and allows full traffic. I have configured AP Group "TOWN-1" with Virtual AP "LAN-vap_prof" with SSID "LAN" - the other virtual AP are not for thic config. AP is configured with forward mode "tunnel". AP are provisioned with AP Group "TOWN-1".

Controller is configured with DHCP server in VLAN 40 to give AP IP addresses.
Cisco 3560 is configured with DHCP server in VLAN 41 to give IP address to connecting hosts. Routing on switch is disabled.

When user is connecting to wireless network authentication is doing ok - user is authenticated and then the problem starts. When user is connected he should get IP address form VLAN 41. In my case when I connect to network i get address from VLAN 41 but after I reconnect i get IP address from VLAN 40. When I reconnect another time I'm getting address form VLAN 41 and so on. There is exactly 50/50 chance to get address form VLAN 41 or 40.

Configuration of Aruba and Cisco switch is attached to this post below.

I forgot to tell that when I configure connection between AP and Cisco switch with trunk link (allowed VLANs 40-41, native VLAN 40) everything works fine - user get address from VLAN 41 every time. This configuration is no good for me because not every AP is connected to managed switch on with I can configure trunk and it's no good for security policy in my company.

Please help me with this problem - i don't have enough experience with Aruba to solve this on my own.

Regards,
Wojtek
Guru Elite
Posts: 21,513
Registered: ‎03-29-2007

Re: Aruba 650 802.1x problem - connecting host switching between VLANs


Hi,
It's my first post on this forum and my first time with Aruba config so please forgive me for some errors.

I have lab with Aruba 650 controller (soft v.6.0.1.0) with Aruba AP-125, Cisco switch 3560 and Win 2008 Srv (with Radius installed). Controller is connected do switch with trunk link (allowed VLANs 40-44, native VLAN 40) on switch port 0/1. AP is connected to switch port 0/3 to access port (port in VLAN 40) and server is connected to switch do port 0/5 access port (port in VLAN 40).

Controller and AP are placed in VLAN 40 to communicate with each other. I have configured 802.1x (with radius server on Win2008). I have server group "LAN" with rule to add any logged user to role "LAN-logon2". This role puts logged users to VLAN 41 and allows full traffic. I have configured AP Group "TOWN-1" with Virtual AP "LAN-vap_prof" with SSID "LAN" - the other virtual AP are not for thic config. AP is configured with forward mode "tunnel". AP are provisioned with AP Group "TOWN-1".

Controller is configured with DHCP server in VLAN 40 to give AP IP addresses.
Cisco 3560 is configured with DHCP server in VLAN 41 to give IP address to connecting hosts. Routing on switch is disabled.

When user is connecting to wireless network authentication is doing ok - user is authenticated and then the problem starts. When user is connected he should get IP address form VLAN 41. In my case when I connect to network i get address from VLAN 41 but after I reconnect i get IP address from VLAN 40. When I reconnect another time I'm getting address form VLAN 41 and so on. There is exactly 50/50 chance to get address form VLAN 41 or 40.

Configuration of Aruba and Cisco switch is attached to this post below.

I forgot to tell that when I configure connection between AP and Cisco switch with trunk link (allowed VLANs 40-41, native VLAN 40) everything works fine - user get address from VLAN 41 every time. This configuration is no good for me because not every AP is connected to managed switch on with I can configure trunk and it's no good for security policy in my company.

Please help me with this problem - i don't have enough experience with Aruba to solve this on my own.

Regards,
Wojtek




I see that you are putting users in VLAN43...

.....
wlan virtual-ap "New_WLAN-vap_prof"

aaa-profile "LAN-aaa_prof"

ssid-profile "New_WLAN-ssid_prof"

vlan 43
..........


Does that VLAN mean anything?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎08-05-2011

Re: Aruba 650 802.1x problem - connecting host switching between VLANs


I see that you are putting users in VLAN43...

.....
wlan virtual-ap "New_WLAN-vap_prof"

aaa-profile "LAN-aaa_prof"

ssid-profile "New_WLAN-ssid_prof"

vlan 43
..........


Does that VLAN mean anything?




This is some config I've done in testing phase.

I'm not using virtual AP "New_WLAN-vap_prof" for provisioning. I only use "LAN-vap_prof" (other two profiles VOIP-vap_prof and GUEST-vap_prof are provisioned too but I'm not using them at the moment - I'm connecting only to LAN-vap_prof). The main virtual AP I'm using is "LAN-vap_prof" with SSID "LAN"
Guru Elite
Posts: 21,513
Registered: ‎03-29-2007

Re: Aruba 650 802.1x problem - connecting host switching between VLANs


This is some config I've done in testing phase.

I'm not using virtual AP "New_WLAN-vap_prof" for provisioning. I only use "LAN-vap_prof" (other two profiles VOIP-vap_prof and GUEST-vap_prof are provisioned too but I'm not using them at the moment - I'm connecting only to LAN-vap_prof). The main virtual AP I'm using is "LAN-vap_prof" with SSID "LAN"




I do not see a VLAN defined in LAN-vap_prof. You need to enter a VLAN there!


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎08-05-2011

Re: Aruba 650 802.1x problem - connecting host switching between VLANs




I can't enter VLAN there because 802.1x must take care to which VLAN user is placed (for example based on Username or other parameters - this is configured under Server Group).

If I enter VLAN in there then every User will be placed on VLAN 41 but what will happen when some users based on their parameters (for example Active Direcory Group) must be placed in other VLAN (for example 43)?

I think I can't put VLAN in there just like that.

Guru Elite
Posts: 21,513
Registered: ‎03-29-2007

Re: Aruba 650 802.1x problem - connecting host switching between VLANs

Start like this:

Remove the rule from the server group.
Remove the Vlan from the user role Lan-logon2.
Put the Vlan that you want most of your users in at the Virtual AP parameter

Turn on user debugging:

config t
logging level debug user

Delete all users to start fresh:

aaa user delete all

Connect a user, and then type "show log user all" to see why the user ends up in that VLAN.

Delete that user entry, because if the user disconnects, and is still in the user table, he will get the same VLAN:

aaa user delete mac

Try to add your rule into the server group and test with another user.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎08-05-2011

Re: Aruba 650 802.1x problem - connecting host switching between VLANs




I finally solve this problem - you were right in some point. I have to put VLANs, that I want my users to be in this profile. I simply add there VLAN 41,42,43 and based on username i can correctly be placed in right VLAN.

Thank you very much for your help - I though this will be some minor error and now I find it.

Thanks again :)

Search Airheads
Showing results for 
Search instead for 
Did you mean: