Wired clients behind IAP unable to pass traffic

Aruba Employee

Question : Why are wired users behind IAP-135 unable to pass traffic after authentication?
Why are wired users behind IAP-135 not put into post-authenticated role? Same users are authenticating fine and getting the right user-role on the wireless.

 

Environment Information : IAPs with extra wired ENET ports - IAP-13x, IAP-22x, IAP-3WN

Any Aruba OS
CPPM

 

Symptoms : Clients are getting authenticated and fall into post-auth role correctly when connecting to wireless but same clients are not falling into post-auth role when connecting to the wired port of IAP.  Same AAA profile is used on wired and wireless.

 

Answer : We can check the user-role for wired clients from the Web UI under "Wired" or from CLI using "show clients wired".  Note that Wired clients on IAP are not seen on the main client dashboard of the IAP where we see wireless clients but we need to find "Wired".  For example, under More>Wired as shown below:

rtaImage.jpg

As seen from the output above, wired clients are falling in pre-auth role.  If we know that the clients are valid and same client authenticates fine when connected to wireless and using the same AAA profile, then one likely issue is the missing Radius Policy for Wired IAP users.  IAPs send the ESSID "_eth1_wired" for ENET1 ports in the Radius Requests.  

rtaImage.png

If the Radius Server (CPPM for instance) has a policy to only allow certain ESSIDs to connect then we must add a policy to allow the ESSID used for wired connections behind the IAP.

Version history
Revision #:
1 of 1
Last update:
‎07-11-2014 09:09 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: