Campus Switching and Routing

Reply
HGW
Occasional Contributor I

Mac-based vlan not working

Hi all,

 

I've got a location with Aruba 2920-48G switches. These switches run the latest WB.16.02 firmware. I've configured Port-access on all the switches, so that each port has to authenticate first with our Clearpass server.

 

The following now happens:

When a laptop connects with the port, it authenticates itself and than gets assigned VLAN xx. Next, a VOIP phone is connected to the same port (using a unmanaged switch) and this device also authenticates and should receive VLAN YY. This last part is not working. The device does not get an IP.

 

This made me think because in the HPE ArubaOS-Switch Access Security Guide for WB.16.02 states the following:

MAC-Based VLANs (MBVs) allow multiple clients on a single switch port to receive different untagged VLAN assignments. VLAN assignment of untagged traffic is based on the source MAC address rather than the port. Clients receive their untagged VLAN assignment from the RADIUS server. 

 

What am i missing in this configuration? (i tried to copy everything related for this question:

 

aaa authentication port-access eap-radius server-group "clearpass" cached-reauth
aaa authentication mac-based chap-radius server-group "clearpass" cached-reauth
aaa port-access mac-based 1-30
aaa port-access mac-based 1 addr-limit 32
aaa port-access mac-based 1 addr-moves
aaa port-access mac-based 1 reauth-period 86400
aaa port-access mac-based 1 unauth-vid XX
aaa port-access mac-based 1 cached-reauth-period 86400
aaa port-access authenticator 1-30
aaa port-access authenticator 1 reauth-period 86400
aaa port-access authenticator 1 client-limit 10
aaa port-access authenticator 1 cached-reauth-period 86400

Running configuration:

interface 1
untagged vlan 4092
aaa port-access authenticator
aaa port-access authenticator reauth-period 86400
aaa port-access authenticator client-limit 10
aaa port-access authenticator cached-reauth-period 86400
aaa port-access mac-based
aaa port-access mac-based addr-limit 32
aaa port-access mac-based addr-moves
aaa port-access mac-based reauth-period 86400
aaa port-access mac-based unauth-vid XX
aaa port-access mac-based cached-reauth-period 86400
spanning-tree admin-edge-port
spanning-tree bpdu-protection
loop-protect
exit

 

Extra info:

The different YY and XX vlans work perfect when configured statically. So there is no DHCP issue etc. 

The 4092 vlan is a dummy and does not allow any form of network. 

Guru Elite

Re: Mac-based vlan not working

Did you look at the ClearPass Solution Guide for Wired Policy Enforcement?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
HGW
Occasional Contributor I

Re: Mac-based vlan not working

Hello, yes i checked that document, but i could not find anything that would explain the behaviour that im seeing. 

 

Are you pointing at something particularly? 

 

 

Guru Elite

Re: Mac-based vlan not working

Did you follow the configuration steps? The doc is a validated working config.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
HGW
Occasional Contributor I

Re: Mac-based vlan not working

i just double checked, the only thing missing is the user-roles etc. we just use port-access. 

 

 

Occasional Contributor I

Re: Mac-based vlan not working

  1. Are the devices authenticated and working in their right VLAN and getting the right IP if you plug them directly into the switch port without any hub in between? Just to check if the devices will get the right VLAN assigned by the RADIUS Server.
  2. As I see that you also have “unauth-vid xx” configured you should know that by default, unauthenticated clients on the Unauth VLAN are disconnected with MBV when a client authenticates to the port. If you want, however, you can enable mixed-mode authentication, which allows unauthenticated clients to connect in the Unauth VLAN and authenticated clients to connect in their assigned VLANs.
HGW
Occasional Contributor I

Re: Mac-based vlan not working

Sorry, i was sick for a few days, so couldn't react.

 

i will check this next wednesday and check point 2 of your comment :)

HGW
Occasional Contributor I

Re: Mac-based vlan not working

Ok, status update.

 

I've got a port thats connected with a unmanaged switch (thats on the table of the users.)

 

On this switch, there are a couple of voip phones connected that are mac-authenticated to vlan 30 and also get a IP adres in vlan 30. Next, a user plugs in his laptop and Clearpass acknowledges the laptop and gives back the following repsonse :

Radius:IETF:Termination-Action1
Radius:IETF:Tunnel-Medium-Type6
Radius:IETF:Tunnel-Private-Group-Id16
Radius:IETF:Tunnel-Type13

So the computer should be allowed in VLAN 16, but it never receives an IP adres in this VLAN and i also dont see it with vlan 16 in 'show port-access clients'. 

 

I enabled the mixed, as you said, but that does not solve it. 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: