Aruba Networks | People Move. Networks Must Follow.

Reply
Topic Options
don
Occasional Contributor II
don
Posts: 27
Registered: ‎04-03-2007
Accepted Solution

Multi user type authentication

Options

‎04-09-2012 12:54 PM

I'm trying to setup user auth on one of my S3500 wired ports and I must be missing something.  

I tested without applying the aaa profile to the interface to verify that DHCP is working.  

With the below configuration, and the aaa profile applied to the port, I do not even get an authentication window (using a MacBook Pro).

 

 

!
Logon role ACL
!
ip access-list stateless logon-control-stateless
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
!
! Authenticated "dorm-wired" user role ACL
!
ip access-list stateless allowall-stateless
any any any permit

!
! My authenticated user, placed on vlan 2
!
user-role dorm-wired
vlan 2
access-list stateless allowall-stateless

!
! My default role user, placed on vlan 3
!
user-role Post-Auth-Default
vlan 3
access-list stateless logon-control-stateless

!
! My logon role, limited access
!
user-role logon
access-list stateless logon-control-stateless

 

!
! My dot1x profile, using the interal database for testing purposes
!
aaa authentication dot1x "wired-dorm"
termination enable

!
! My server-group, internal database
!
aaa server-group "auth-internal"
auth-server Internal
set role condition role value-of

 

!
! My aaa profile
!
aaa profile "dorm-wired"
authentication-dot1x "wired-dorm"
dot1x-default-role "Post-Auth-Default"
dot1x-server-group "auth-internal"

!
! Applied to the client interface, switchport mode is access
!
interface gigabitethernet "0/0/5"
aaa-profile "dorm-wired"
switching-profile "client"

 

 

 

Alert a Moderator
Message 1 of 4 (1,295 Views)
Reply
0 Kudos
Aruba Employee
gcui
Posts: 5
Registered: ‎08-29-2011

Re: Multi user type authentication

Options

‎04-10-2012 02:07 PM

The complete configuration is not pasted, for the configuration of interface g0/0/5,

do you have "no trusted port " ?   It will put the port in untruated mode and aaa will kick in.

 

Note: I guess you want to put non-authenticated user in  role "dorm-wired", if this is the case, 

in the aaa profile,  the "initial role dorm-wired" need to add to it otherwise the "default" role will be used.  

 

Alert a Moderator
Message 2 of 4 (1,266 Views)
Reply
0 Kudos
Aruba Employee
Abhinethra
Posts: 1
Registered: ‎04-10-2012

Re: Multi user type authentication

Options

‎04-10-2012 03:46 PM

Yes, trusted port can most likely be the issue here. Also, to be sure once the port is untrusted, if you are using local-userdb can you run  "aaa user delete all" and "clear mac-address-table". It also is a good idea to disable/enable the interface on the MacBook.

 

If that still does not help, It would be great if we can get the output of "show log user", "show dot1x supplicant-info" and "show auth-tracebuf" with complete configs for further debugging. 

 

--

Thanks

ATM

Alert a Moderator
Message 3 of 4 (1,253 Views)
Reply
0 Kudos
don
Occasional Contributor II
don
Posts: 27
Registered: ‎04-03-2007

Re: Multi user type authentication

Options

‎04-11-2012 06:54 AM

Abhinethra and Gcui, thanks setting the port untrusted did the trick.

Alert a Moderator
Message 4 of 4 (1,235 Views)
Reply
0 Kudos