Remote Networking

Reply
og
Occasional Contributor I
Posts: 9
Registered: ‎05-20-2010

RAP2 802.1x on wired port

Hi there,

I have a 600 controller running version 6.0.2.2 which is only managing RAPs. The wireless side is working perfectly with 802.1x. Now I want also the E1 Port of my Rap2 to do 802.1x auth. I searched this forum and found http://airheads.arubanetworks.com/vBulletin/showthread.php?t=2147. All of my configuration matches the answers there but I cant get it to work. Even with the 802.1x AAA grp assigned to e1 the rap let my client connect without 802.1x. When I force the client to do only 802.1x I get an authentication failure on the client. There is no failed authentication message on the controller or the radius server so I suppose that the E1 port is not running 802.1x.
I am using the same profiles for my ssid where they work perfectly.
Anyone running this config in a 6.0.x.x OS ?
cheers
Oliver
Guru Elite
Posts: 20,788
Registered: ‎03-29-2007

Re: RAP2 802.1x on wired port

Try this:

config t
aaa authentication wired
profile default


Also, the initial role for the AAA profile that is connected to the wired port, must be a deny all. The "initial role" of the AAA profile says what role a device that physically plugs into the port without authentication gets. That is for users that probably fail authentication. Make that initial role in the AAA profile a "deny all" role and a device will ONLY be able to pass traffic if he passes 802.1x. I would run the aaa authentication wired command first and make sure 802.1x works, before changing the initial role. If this is Windows, did you start the Wired Zero Touch Configuration service?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

og
Occasional Contributor I
Posts: 9
Registered: ‎05-20-2010

Re: RAP2 802.1x on wired port

Hi,
thanks for the answer.
what is that "default" profile in the aaa auth wired referring to ? are there rules hidden behind that can be altered ?
I created a Policy that denies everythin with action drop and applied it to the initial role in the AAA profile.
Its still not working after that. I just opened up a tac case regarding this.
The rap still gives my Client access without 802.1x config - when I force 802.1x without fallback in windows I am getting auth error.
Yes this is win7 and yes I started Wired Zero Touch so i get the additional TAB in network properties.
I attached a show tech - maybe you can find some error in my config.
regards
Oliver
Guru Elite
Posts: 20,788
Registered: ‎03-29-2007

Re: RAP2 802.1x on wired port

It looks like it is trying. I see radius rejects for your station:


Apr 29 09:00:32 |authmgr| Dropping EAPOL packet sent by Station 00:1a:73:9b:85:98 00:1a:1e:41:9c:00
Apr 29 09:01:02 |authmgr| RADIUS reject for station host/lthsai98.auva1.global 00:1a:73:9b:85:98 from server AUVA-Home-Office.
Apr 29 09:01:21 |authmgr| Dropping EAPOL packet sent by Station 00:1a:73:9b:85:98 00:1a:1e:41:9c:00
Apr 29 09:01:21 |authmgr| RADIUS reject for station host/lthsai98.auva1.global 00:1a:73:9b:85:98 from server AUVA-Home-Office.
Apr 29 09:01:28 |authmgr| Dropping EAPOL packet sent by Station 00:1a:73:9b:85:98 00:1a:1e:41:9c:00
Apr 29 09:01:28 |authmgr| RADIUS reject for station

There are two parts of this: I am assuming that this is a Windows 7 Client. If so, you need to make a change in the "Advanced" portion of the Wired 802.1x Configuration, so that it uses the username of the logged in user, as opposed to the machine name of the user.

Go to the link here: http://networking.grok.lsu.edu/Article.aspx?articleId=14970 and at the dialog in step 19, change it to "user or computer authentication" instead of just computer to fix that.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

og
Occasional Contributor I
Posts: 9
Registered: ‎05-20-2010

Re: RAP2 802.1x on wired port

hi,
thank you for troubleshooting.
the log entries you are seeing are not from my station. I suppose they are from a customers PC which is nor correctly configured. The controller is already at the customer site for a demo installation.
on my station i only have user auth enabled because for testing we dont check the computer account.
when my pc is trying to out no log output are generated. My mac adress of the wired port ist not present in the logs.
Tac replied to me that the E1 port of the rap should not be marked as trusted and the initial role should not be set to "deny all". I will try that later today and let you know the output.

cheers
Oliver
Occasional Contributor II
Posts: 19
Registered: ‎03-16-2011

Re: RAP2 802.1x on wired port

Interesting.. It should be untrusted to make AAA run on that port... Make sure that the port is untrusted and then apply an AAA profile to the port... AAA profile should include dot1x auth of course, then the remaining is the same like in wireless side..
Guru Elite
Posts: 20,788
Registered: ‎03-29-2007

Re: RAP2 802.1x on wired port


hi,
thank you for troubleshooting.
the log entries you are seeing are not from my station. I suppose they are from a customers PC which is nor correctly configured. The controller is already at the customer site for a demo installation.
on my station i only have user auth enabled because for testing we dont check the computer account.
when my pc is trying to out no log output are generated. My mac adress of the wired port ist not present in the logs.
Tac replied to me that the E1 port of the rap should not be marked as trusted and the initial role should not be set to "deny all". I will try that later today and let you know the output.

cheers
Oliver




If you are working on this with TAC, please continue to work with them and let us know the result, as they have much more information than this forum about your situation. Thank you.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: