ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 12
Registered: ‎08-29-2011

Radius authentication in bridge mode

So I have this AP-93 in bridge mode, and I'm trying to get radius authentication to work.
When selecting a vlan to place clients under det virtual AP, I am able to authenticate, and will pick up an IP on the local bridged segment. But all other traffic is tunnelled to the controller. And, I'm guessing, placed on the assigned vlan.

When I choose "none" in the vlan setting, I am not able to authenticate.
This is what I see in the log:

Sep 6 17:14:47 authmgr: <132022> |authmgr| Station f8:1e:df:16:97:ec 00:24:6c:3f:56:31 sent 802.1x packet before association/l2 miss
Sep 6 17:14:47 authmgr: <132030> |authmgr| Dropping EAPOL packet sent by Station f8:1e:df:16:97:ec 00:24:6c:3f:56:31
Sep 6 17:14:47 authmgr: <132030> |authmgr| Dropping EAPOL packet sent by Station f8:1e:df:16:97:ec 00:24:6c:3f:56:31

Any ideas?


edit:

From Aruba message description:
Station sent 802.1x packet before association/l2 miss
Description: Received an EAP packet from the station before receiving an association/l2 miss
message.
Cause: This log-message is generated when we detect a race-condition between STM, SOS
and AUTH. AUTH is receiving association-request messages from STM before it received the
L2-Miss message from SOS.
Recommended Action: If symptoms persist, then AUTH is either not receiving or not
processing L2-Miss messages from SOS. Restart the AUTH process by executing the command
”process restart auth” or reload the controller.



After restarting the auth process, I get this:


Sep 6 17:23:05 authmgr: <132022> |authmgr| Station f8:1e:df:16:97:ec 00:24:6c:3f:56:31 sent 802.1x packet before association/l2 miss
Sep 6 17:23:05 authmgr: <132030> |authmgr| Dropping EAPOL packet sent by Station f8:1e:df:16:97:ec 00:24:6c:3f:56:31
Sep 6 17:23:05 authmgr: <132030> |authmgr| Dropping EAPOL packet sent by Station f8:1e:df:16:97:ec 00:24:6c:3f:56:31
Sep 6 17:23:05 sapd: <404058> |AP 00:24:6c:cb:f5:63@10.253.196.101 sapd| AM: New Node Detected Node = f8:1e:df:16:97:ec SSID =aruba BSSID 00:24:6c:3f:56:31
Sep 6 17:23:05 stm: <501095> |stm| Assoc request @ 17:23:05.303630: f8:1e:df:16:97:ec (SN 2434): AP 10.253.196.101-00:24:6c:3f:56:31-00:24:6c:cb:f5:63
Sep 6 17:23:05 stm: <501101> |stm| Assoc failure: f8:1e:df:16:97:ec: AP 10.253.196.101-00:24:6c:3f:56:31-00:24:6c:cb:f5:63 Reason Capability requested by STA unsupported by AP
Sep 6 17:23:05 stm: <501095> |AP 00:24:6c:cb:f5:63@10.253.196.101 stm| Assoc request @ 17:23:05.241511: f8:1e:df:16:97:ec (SN 2434): AP 10.253.196.101-00:24:6c:3f:56:31-00:24:6c:cb:f5:63
Sep 6 17:23:05 stm: <501100> |AP 00:24:6c:cb:f5:63@10.253.196.101 stm| Assoc success @ 17:23:05.243253: f8:1e:df:16:97:ec: AP 10.253.196.101-00:24:6c:3f:56:31-00:24:6c:cb:f5:63
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Radius authentication in bridge mode

When you change the forwarding mode to bridged, Nothing should be tunneled back to the controller. The role of the client after it is authenticated should be an "allowall" role (the default 802.1x role in the AAA profile. When the traffic was passing, you had the VLAN right. Don't change anything. Just make sure that the default 802.1x role in the AAA profile of that Virtual AP permits everything.

And... Do not restart the auth process. In this particular circumstance, it does not help.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎08-29-2011

Re: Radius authentication in bridge mode

The role is "authenticated" which is an allowall rule. Actually all the roles in the profile is authenticated. I have a wiretap connected to the AP, and I don't see any traffic on the local segment at all, only from the AP to the controller.

Is the VLAN locally significant to the AP? Do I need to change the AP port trunk, so that it can tag the packets?

Under the aaa profile, I can see that it assigns the default setting to "MAC Authentication Server Group", could this be a problem?

Thanks alot for taking the time to help out :)
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Radius authentication in bridge mode

The AP-Group that the AP is in, there is an AP system profile. In that AP system profile, there is a "Native VLAN ID" parameter. If that Nativa VLAN ID parameter matches the Virtual AP VLAN that is being bridged, the client traffic will NOT be tagged, but purely bridged, because it assumes that traffic that is to be bridged matched the Native VLAN of that port. if the Virtual AP VLAN of the Bridged Virtual AP does NOT match the Native VLAN ID, then the client traffic will be tagged. By default that parameter is 1, so just make the Virtual AP VLAN 1 and it should bridge the traffic, just like you need it to. If that AP is on a trunk and you need it to switch the traffic to another VLAN, make it something else besides 1 on the Virtual AP VLAN.

I hope that makes sense.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎08-29-2011

Re: Radius authentication in bridge mode

that makes perfect sense. both are vlan 1, so it should not be a problem. However, no luck :o

Funny thing though, I can see IPv6 traffic from my associated iphone, but no IPv4 traffic is getting through.

I guess it must be a role/policy problem. I'll try to play around with those.
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Radius authentication in bridge mode

There are ipv4 and ipv6 acls. Make sure you have the right ones in place.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎08-29-2011

Re: Radius authentication in bridge mode

Ok. That was weird. The "authenticated" profile said allowall for both ipv4 and ipv6.
I created a new profile just with the allowall policy, and presto, everything is working fine!

Your help is much appreciated!
Search Airheads
Showing results for 
Search instead for 
Did you mean: