Question : Why are wired users behind IAP-135 unable to pass traffic after authentication?
Why are wired users behind IAP-135 not put into post-authenticated role? Same users are authenticating fine and getting the right user-role on the wireless.
Environment Information : IAPs with extra wired ENET ports - IAP-13x, IAP-22x, IAP-3WN
Symptoms : Clients are getting authenticated and fall into post-auth role correctly when connecting to wireless but same clients are not falling into post-auth role when connecting to the wired port of IAP. Same AAA profile is used on wired and wireless.
Answer : We can check the user-role for wired clients from the Web UI under "Wired" or from CLI using "show clients wired". Note that Wired clients on IAP are not seen on the main client dashboard of the IAP where we see wireless clients but we need to find "Wired". For example, under More>Wired as shown below:
As seen from the output above, wired clients are falling in pre-auth role. If we know that the clients are valid and same client authenticates fine when connected to wireless and using the same AAA profile, then one likely issue is the missing Radius Policy for Wired IAP users. IAPs send the ESSID "_eth1_wired" for ENET1 ports in the Radius Requests.
If the Radius Server (CPPM for instance) has a policy to only allow certain ESSIDs to connect then we must add a policy to allow the ESSID used for wired connections behind the IAP.