Higher Education

last person joined: 10 days ago 

Got questions on how to enable mobility in education? Submit them here!
Back to discussions
Expand all | Collapse all

Role to a port for wired users?

This thread has been viewed 1 times

  • 1.  Role to a port for wired users?

    Posted Jun 24, 2016 08:29 AM

    Can a role be applied to a port for unauthenticated wired traffic? In my lab, I created VLAN 100 on the controller (7010) and put it on port 14 (access not trunk). For testing purposes I am using the controller for DHCP. I connect my test laptop up and draw the right address and I get out to the universe. I get to the universe on VLAN 10. here is the quick breakdown:

     

    VLAN 10 - 192.168.30.X (port 2) inter VLAN routing enabled, not NATing

    VLAN 100 - 172.16.100.X (port 14) inter VLAN routing enabled, not NATing

    Controller IP - 192.168.30.225 (VLAN 10)

    wired laptop IP - 172.16.100.2

     

    So I created a role called VLAN-100-LAN and applied it to VLAN 100. I then created a session based ACL rule to deny access to 192.168.30.218 which is a printer. 

     

    problem - I can still get to the printer... Any ideas?

     



  • 2.  RE: Role to a port for wired users?

    EMPLOYEE
    Posted Jun 24, 2016 08:31 AM
    You need to create a AAA profile, apply it to the interface or VLAN and then make the interface or VLAN untrusted


  • 3.  RE: Role to a port for wired users?

    Posted Jun 24, 2016 08:41 AM

    AAA profile - check

    trying to make port changes but keep getting error every time I try to apply it

    error - Invalid value for xSec key. Length should be 16 bytes

     

    Whats that about?



  • 4.  RE: Role to a port for wired users?

    Posted Jun 24, 2016 09:05 AM

    Did some quick digging and - 

    I do not have xsec enabled on the port or VLAN

    I do not even have the license for xsec on this controller

    Now I am really confused LOL



  • 5.  RE: Role to a port for wired users?

    Posted Jun 24, 2016 09:09 AM

    Interesting - changed the port to trunk instead of access and error went away, was then able to make settings changes and set it back to access.

     

    weird...



  • 6.  RE: Role to a port for wired users?

    Posted Jun 24, 2016 09:25 AM

    And back to the subject at hand...

     

    When I make either the port untrusted or the VLAN untrusted I can no longer get out on the hard wired laptop. when ever I try to go to any web site I get taken to an Aruba page saying that web authentication has been disables, please see your network administrator. I don't recall enabling any sort of  web authentication at all.

     

    What do ya say there Cappi?



  • 7.  RE: Role to a port for wired users?

    EMPLOYEE
    Posted Jun 24, 2016 09:28 AM
    If you're not using authentication, set the initial role in the AAA profile to the role you want


  • 8.  RE: Role to a port for wired users?

    Posted Jun 24, 2016 09:45 AM

    VLAN-100-No-Auth AAA profile has initial role of VLAN-100-LAN

    VLAN-100-LAN role is applied to VLAN 100 (I know, shocker right)

    VLAN 100 is applied to port 14 and VLAN is UNtrusted (also tried UNtrusting the port too, same results)

     

    Still getting "Web authentication is disabled, please contact... blah blah blah"

     

    I feel like I am missing a setting somewhere...



  • 9.  RE: Role to a port for wired users?

    Posted Jun 24, 2016 09:49 AM

    ha-HA! I figured it out!

     

    It's my ACLs on my role. I just need to refine them!

     

    Thanks for the help as always Cappi - MUCH appreciated!

     

    I spoke too soon.... grrr. was testing with a cached website and didnt realize it...

     

    so still same problem



  • 10.  RE: Role to a port for wired users?

    Posted Jun 24, 2016 10:16 AM

    any other thoughts by chance Cappi? (or anyone LOL)