Controller Based WLANs

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.0 and later. 

Stateful dot1x is the authentication type that allows the Aruba controller to apply firewall rules to the wireless users that are associated with non-Aruba APs and are doing dot1x authentication. 

Configuration 

To make stateful dot1x work in ArubaOS 3.x code: 
•     The physical port of the controller, which is the ingress port of the third-party APs' traffic, needs to be configured as an "untrusted" port. 
•     Wired authentication is not mandatory for stateful dot1x authentication. However, if "aaa authentication wired" is enabled, the "initial role" of the aaa profile applied to wired authentication as "logon" role must be configured for stateful dot1x to work. Any other name of initial role breaks stateful dot1x. When stateful dot1x authentication is enabled and a RADUIS-server group has been applied to "stateful-dot1x" profile, the controller automatically generates the "stateful-dot1x" ACL and applies it to the end of the user-role "logon" as shown in this sample configuration: 

user-role logon 
session-acl logon-control 
session-acl captiveportal                         
session-acl vpnlogon 
session-acl stateful-dot1x   ====>automatically added 
aaa server-group "test-server-group" 
auth-server test 
aaa authentication-server radius "test" 
   host 10.168.1.1 
   key 80ecd0c91e076c92e94ecdf51cd5b5aa 
   authport 1812 
   acctport 1813 
aaa authentication stateful-dot1x 
           enable 
           default-role authenticated 
           server-group test-server-group 
# show ip access-list stateful-dot1x 
1 any     any          svc-dns   permit 
2 any     any          svc-dhcp  permit 
3 any     10.168.1.1  udp 1812  redirect opcode 52 

•     Make sure the dot1x authentication traffic is going through the controller, otherwise the controller will not be able to monitor the authentication transaction and apply the right user role to the user when the authentication process is finished. 

Troubleshooting 

1)  logging level debug security process authmgr 
2)  show acl hits role logon 

"show log security" in a working case: 
Oct 17 14:09:37 :124004:  <DBUG> |authmgr|  Forwarding the Radius packet after 
stateful dot1x processing code:1/smac:00:0d:bd:bb:d2:a3/sport:1645/dport:1812 
Oct 17 14:09:37 :124004:  <DBUG> |authmgr|  Received Valid Radius Reponse 
Oct 17 14:09:37 :124007:  <INFO> |authmgr|  USER_NAME 
Oct 17 14:09:37 :124007:  <INFO> |authmgr|  EAP MESSAGE 
Oct 17 14:09:37 :124004:  <DBUG> |authmgr|   {L2} Authenticating Server is test 
Oct 17 14:09:37 :199802:  <ERRS> |authmgr|  user.c, derive_role2:3707: 
{00:1d:e0:12:f4:a1-0.0.0.0} Missing server group in attribute list, 
auth=Stateful-802.1x, utype=L2 
Oct 17 14:09:37 :124004:  <DBUG> |authmgr|  Tx message to Sibyte. Opcode = 17, 
msglen = 132 
Oct 17 14:09:37 :124007:  <INFO> |authmgr|  Forwarding the Radius Response to 
AP:192.168.1.100 len:0 
Oct 17 14:09:37 :124004:  <DBUG> |authmgr|  Forwarding the Radius packet after 
stateful dot1x processing code:2/smac:00:0b:86:40:3a:60/sport:1812/dport:1645