ArubaOS and Controllers

Reply

MSN Messenger and 802.1x

All,

I am still getting my feet wet with the Airwave and the Aruba interface and feature set - so I hope this isn't too amateur hour of a question.

I've been working on an issue that happens on our campus-wide wireless network. I'm able to log into MSN Messenger on Vista and 7 when I'm connected to an Open network, but I'm not able to when I'm connected to a 802.1x WPA2-Enterprise network. I have checked the firewall rules, access lists, and our radius server and I can not find a reason in our non-Aruba infrastructure.

I'd like to drill down into the ArubaOS to figure out if there's a firewall setting, but I'm not sure where to look. Any help on this issue would be greatly appreciated.

Thanks!

-Mike
Occasional Contributor I

Re: MSN Messenger and 802.1x

Mike,

Are the two networks one in the same or are talking about being connected to distinctly different networks?

What firewall rules are being applied to your authenticated role?

Does this work with Windows XP?

There are a lot of factors that could potentially play a role in your issue. It could be a proxy server on your enterprise network that could be blocking your traffic. MSN Messenger uses TCP 80, 443, 1863 and other depending on the features that you wish to ultize (Video, Voice, FileSharing). However, I am not positive whether the application is proxy aware or if it must be configured in the settings.

Hope this gets you started in the right direction.
Aruba Employee

Re: MSN Messenger and 802.1x

Hi Mike - Are both wireless networks, the open one and the 802.1x one, served by your Aruba infrastructure?

If so, when you connect to the open network, you'll fall into the initial role and the policies defined for that. In the 802.1x network, after you authenticate, you'll fall into its default role and be subjected to its policies. Check your AAA profile settings in the VAP profile to see what's what with that.

Re: MSN Messenger and 802.1x

All,

I have heard that it doesn't work with Windows XP, but I haven't personally verified that. It does work on an Ethernet connection. So there is something about the 802.1x network that is different.

That is correct, the open and the 802.1x SSIDs are served by an Aruba infrastructure. The 802.1x infrastructure uses Windows 2k8R2's RADIUS implementation called NPS.

I didn't get a chance to take a look at this issue today - snow is burying the mid-Atlantic region. I'll post an update on Monday and start poking around the Authenticated Roles section. Thanks for the direction on this issue!

-Mike
MVP

Re: MSN Messenger and 802.1x

Verify that the Aruba controller is actually blocking the traffic.



If traffic is being denied, there will be a "D" flag to the right of the session. Because of the variables involved, it's worth first identifying that your problem is at the controller and not something else.

If it is, I definitely think looking at the derived user-roles (as Mike suggested) for your open and dot1x implementations is the correct next step.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University

Re: MSN Messenger and 802.1x

All,

Thanks for helping me with this issue. Now that the snowpocalypse has finally ended, I have more time to work on this again.

I ran the "show datapath session table " command on the slave controller and the master controller; it did not report any denied traffic.

I then figured out which AAA profile corresponded with which SSIDs. As you stated, they were different.

I then assigned the exact same "Initial Role" to the 802.1x SSID as the open SSID. Next, I set the "802.1X Authentication Default Role" to one that was "allowall" with a rule of any:any, permit.

Unfortunately, this did not work. Any suggestions on my next troubleshooting steps?

Thanks for all your help! Going through this has really increased my confidence with Aruba.

-Mike
Guru Elite

The VLANs

Are the VLANS that the users are on the same (open SSID VLAN= 802.1x SSID VLAN)?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: MSN Messenger and 802.1x

If the user is getting the allow all role it would surprise me if it was a controller issue. I would start to think about the network, as others have mentioned I would assume that the open and 802.1X networks are at least in different VLANs. Is there a proxy or anything else that could be catching the chat session on the 802.1X network?

It would also be good to confirm that the user with the blocked chat session is actually connected, I assume that they can surf the web, etc. correct? It sounds like you've created the role correctly, you might try a 'show user ' and check the role they are assigned is the one you thought they should have. Issuing 'show rights will show you that role's policy if you need to confirm they have the correct policy tied to the role.

Also, I wasn't clear on your comment that 'it doesn't work with XP', what did you hear didn't work? If it 802.1X and WPA2 work with XP, you do need to have service pack 3 or the hotfix installed for the functionality, otherwise it works fine.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks

Re: MSN Messenger and 802.1x

All,

I checked and there are different VLANs for each of the SSIDs. I checked the router and there are no access lists or firewall settings applied to either of the VLANs.

Sorry about the vague XP comment. I have personally verified that Microsoft Messenger on Vista and Windows 7 will not connect to the 802.1x network. A student also told me that they can not connect to Windows Messenger on Windows XP.

I ran the "show user name " from the controller and the role was in our "authenticated" role.

Here's the firewall rule for the authenticated user role:

allowall - any: any: permit: Low

I ran Wireshark on the two connections and there was definitely a discrepancy. Is there a way to check at the packet level on the controller or the radio?

Thanks for the continued help!

-Mike
Aruba Employee

Re: MSN Messenger and 802.1x

Can you describe the discrepancy you saw? We're using the same policy at the office and I haven't had any issue with MSN connecting on XP or Windows 7, so I'm interested in what's going on with this.

As for packet levels, you can actually mirror the packet flows to a sniffer using a firewall policy. I would highly recommend creating a separate fore for this, otherwise you're going to flood your sniffer with traffic. Place just your test user in that role and then launch your MSN session. The config should look something like:

ip access-list session "mirror"
any any any permit mirror queue low
!
user-role "mirror"
access-list session "mirror" position 1
!
firewall session-mirror-destination ip-address 10.1.1.10
firewall session-mirror-destination port 1/0


Obviously you'll want to change the ports and IP to match up with your sniffer. You can change the user role from the CLI with:



Hope that helps,
-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: