Remote Networking

Reply
MVP
Posts: 369
Registered: ‎01-14-2010

Wired AP access and port-based role derivation

All,

We've recently deployed our first RAP-5 at an off-campus housing facility that holds 6 people. We've run into an interesting issue that we didn't see when we were setting up the device.

Here's what's going on: the proper role is derived when you first plug into the RAP-5 Ethernet port. But, if you plug a different device into the same Ethernet port, it derives the "logon" role and pops up with a captive portal.

Here's the code:

ap-group "WLU-GL-Master-RAP5-AP-Group"
virtual-ap "WLUsec-GL-Master-RAP5-VAP"
virtual-ap "WLU-GL-Master-RAP5-VAP"
dot11a-radio-profile "WLU-radio-802.11a"
dot11g-radio-profile "WLU-radio-802.11g"
enet1-port-profile "WLU-RAP5-Split-Tunnel"
enet2-port-profile "WLU-RAP5-Split-Tunnel"
enet3-port-profile "WLU-RAP5-Split-Tunnel"
enet4-port-profile "WLU-RAP5-Split-Tunnel"
ap-system-profile "GL-Master-System-Profile"

ap wired-port-profile "WLU-RAP5-Split-Tunnel"
wired-ap-profile "RAP5-WLU-Split-Tunnel-Port"
no rap-backup
aaa-profile "WLU-RAP5-Wired-AAA"

ap wired-ap-profile "RAP5-WLU-Split-Tunnel-Port"
wired-ap-enable
forward-mode split-tunnel
switchport access vlan 341

aaa profile "WLU-RAP5-Wired-AAA"
initial-role "WLU-Wired-Port-RAP5"
mac-default-role "WLU-DenyAll"
authentication-dot1x "WLU-8021x-Auth-Profile"
dot1x-default-role "WLU-DenyAll"
dot1x-server-group "WLU-RAP5-Radius-Servers"

user-role WLU-Wired-Port-RAP5
max-sessions 200
ipv6 session-acl v6-denyall
session-acl mDNS-responder
session-acl Remote-Split-Tunneling
session-acl allowall
!

It appears to me that the connection is deriving the proper "initial-role" from the VAP, but a second connection seems to fall back into the defaults.

I have a feeling this will be a pretty simple fix and there's something easy that I'm over looking. Thanks for any help that you can offer!

-Mike
Guru Elite
Posts: 20,781
Registered: ‎03-29-2007

Re: Wired AP access and port-based role derivation

A few questions. What are the rules in the initial role (show rights WLU-Wired-Port-RAP5)? What are you trying to do on that port, authentication,. wired 802.1x? Split Tunneling?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 369
Registered: ‎01-14-2010

Re: Wired AP access and port-based role derivation

Hi Colin,

I would like every Ethernet connection to have a split-tunneled role without a portal page or 802.1x. Basically, you plug in and you're good to go.

Here's the output of the command:

(GL-Master) #show rights WLU-Wired-Port-RAP5

Derived Role = 'WLU-Wired-Port-RAP5'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 88/0
Max Sessions = 200


access-list List
----------------
Position Name Location
-------- ---- --------
1 v6-denyall
2 mDNS-responder
3 Remote-Split-Tunneling
4 allowall

v6-denyall
----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any any deny Low
mDNS-responder
--------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any tcp 5353-5354 deny Low
2 any any udp 5353-5354 deny Low
Remote-Split-Tunneling
----------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-dhcp permit Low
2 any WLU-IP-Space any permit Low
3 user any any route src-nat Low
allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any any permit Low

Expired Policies (due to time constraints) = 0
Guru Elite
Posts: 20,781
Registered: ‎03-29-2007

Re: Wired AP access and port-based role derivation

The first thing you need to do is find out what role the wired user is in when they get the captive portal page. Do "show user" at the commandline to find out. Then you need to find out WHY the user ends up there by turning on user debugging (config t logging level debug user).


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 369
Registered: ‎01-14-2010

Re: Wired AP access and port-based role derivation

Hi Colin,

Here's what I've found when I added the following to the config:

logging level debugging user-debug 00:80:a3:63:04:db

I rebooted the AP with the following command:

(GL-Master) #apboot ap-name RAP5-Int-House

The ports are then assigned the proper roles:

(GL-Master) #show user-table verbose

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Server Vlan Bwm
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ------ ---- ---
24.125.220.54 00:00:00:00:00:00 logon 04:23:55 VPN N/A default tunnel 1
10.20.30.99 00:00:00:00:00:00 00:0b:86:67:11:3a ap-role 00:00:04 VPN 24.125.220.54 N/A default tunnel Internal 1
137.113.191.45 00:24:6c:c5:1a:2e WLU-Wired-Port-RAP5 00:00:50 RAP5-Int-House Wired(Remote) 10.20.30.99:0/1 WLU-RAP5-Wired-AAA split tunnel 341
137.113.191.249 00:80:a3:63:04:db WLU-Wired-Port-RAP5 00:00:10 RAP5-Int-House Wired(Remote) 10.20.30.99:0/2 WLU-RAP5-Wired-AAA split tunnel 341

User Entries: 4/4

Jan 31 15:17:10 :522004: |authmgr| {137.113.191.249} datapath entry deleted
Jan 31 15:18:20 :522004: |authmgr| user_miss from RAP:10.20.30.99, (Wired) user IP:137.113.191.249, VLAN:341, BSSID:00:0b:86:67:11:3c:AP:RAP5-Int-House
Jan 31 15:18:20 :522035: |authmgr| MAC=00:80:a3:63:04:db Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=341 AP-name=RAP5-Int-House
Jan 31 15:18:20 :522004: |authmgr| MAC=00:80:a3:63:04:db ingress 0x108a (tunnel 10), u_encr 1, m_encr 1, slotport 0x1002 wired, type: remote, FW mode: 3, AP IP: 10.20.30.99
Jan 31 15:18:20 :522004: |authmgr| no users to cleanup
Jan 31 15:18:20 :522004: |authmgr| station add: Created station with bssid=01:80:c2:00:00:03, valid=1, @=0x108bc054
Jan 31 15:18:20 :522004: |authmgr| AAA profile for wired user is "WLU-RAP5-Wired-AAA"
Jan 31 15:18:20 :522004: |authmgr| station free: bssid=01:80:c2:00:00:03, valid=1, @=0x108bc054
Jan 31 15:18:20 :522004: |authmgr| {L3} Update role from WLU-Wired-Port-RAP5 to WLU-Wired-Port-RAP5 for IP=137.113.191.249
Jan 31 15:18:20 :522004: |authmgr| Station inherit: IP=137.113.191.249 start bssid:00:0b:86:67:11:3c essid: port:0x108a (0x108a)
Jan 31 15:18:20 :522004: |authmgr| Adding RAP Wired User (split) 00:80:a3:63:04:db to STM stats tree
Jan 31 15:18:20 :522004: |authmgr| {137.113.191.249} autTable (" Unauthenticated WLU-Wired-Port-RAP5 ")
Jan 31 15:18:20 :522004: |authmgr| rap user : Sending SOS_USER_ACTION_ADD to RAP 137.113.191.249: IP=137.113.191.249, Role: WLU-Wired-Port-RAP5, ACL:88, authtype:0
Jan 31 15:18:20 :522004: |authmgr| 00:80:a3:63:04:db: Sending STM new Role ACL : 88, and Vlan info: 341, action : 0, AP IP: 10.20.30.99, flags : 0
Jan 31 15:22:10 :522004: |authmgr| AU0(0), HA1, TAP0, PARP0 OIP0 IIP0 INT0 WD1 FW3 DT0
Jan 31 15:22:10 :522004: |authmgr| 00:80:a3:63:04:db: Sending STM new Role ACL : 88, and Vlan info: 341, action : 1, AP IP: 10.20.30.99, flags : 0
Jan 31 15:22:10 :522005: |authmgr| MAC=00:80:a3:63:04:db IP=137.113.191.249 User entry deleted: reason=unknown
Jan 31 15:22:10 :522004: |authmgr| MAC=00:80:a3:63:04:db Send Station delete message to mobility
Jan 31 15:22:10 :522004: |authmgr| Deleting RAP Wired User (3) 00:80:a3:63:04:db from STM stats tree
Jan 31 15:22:10 :522004: |authmgr| user_miss from RAP:10.20.30.99, (Wired) user IP:137.113.191.249, VLAN:341, BSSID:00:0b:86:67:11:3c:AP:RAP5-Int-House
Jan 31 15:22:10 :522035: |authmgr| MAC=00:80:a3:63:04:db Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=341 AP-name=RAP5-Int-House
Jan 31 15:22:10 :522004: |authmgr| MAC=00:80:a3:63:04:db ingress 0x108a (tunnel 10), u_encr 1, m_encr 1, slotport 0x1002 wired, type: remote, FW mode: 3, AP IP: 10.20.30.99
Jan 31 15:22:10 :522004: |authmgr| no users to cleanup
Jan 31 15:22:10 :522004: |authmgr| station add: Created station with bssid=01:80:c2:00:00:03, valid=1, @=0x108be024
Jan 31 15:22:10 :522004: |authmgr| AAA profile for wired user is "WLU-RAP5-Wired-AAA"
Jan 31 15:22:10 :522004: |authmgr| station free: bssid=01:80:c2:00:00:03, valid=1, @=0x108be024
Jan 31 15:22:10 :522004: |authmgr| MAC=00:80:a3:63:04:db Send Station delete message to mobility
Jan 31 15:22:10 :522006: |authmgr| MAC=00:80:a3:63:04:db IP=137.113.191.249 User entry added: reason=Auth Request
Jan 31 15:22:10 :522004: |authmgr| Station inherit: IP=137.113.191.249 start bssid:00:0b:86:67:11:3c essid: port:0x108a (0x108a)
Jan 31 15:22:10 :522004: |authmgr| Adding RAP Wired User (split) 00:80:a3:63:04:db to STM stats tree
Jan 31 15:22:10 :522004: |authmgr| {137.113.191.249} autTable (" Unauthenticated logon ")
Jan 31 15:22:10 :522004: |authmgr| rap user : Sending SOS_USER_ACTION_ADD to RAP 137.113.191.249: IP=137.113.191.249, Role: logon, ACL:1, authtype:0
Jan 31 15:22:10 :522004: |authmgr| 00:80:a3:63:04:db: Sending STM new Role ACL : 1, and Vlan info: 341, action : 0, AP IP: 10.20.30.99, flags : 0

Now, after a few minutes, the users now have the "logon" role once again for no apparent reason:

(GL-Master) #show user-table verbose

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Server Vlan Bwm
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ------ ---- ---
24.125.220.54 00:00:00:00:00:00 logon 04:23:57 VPN N/A default tunnel 1
10.20.30.99 00:00:00:00:00:00 00:0b:86:67:11:3a ap-role 00:00:05 VPN 24.125.220.54 N/A default tunnel Internal 1
137.113.191.45 00:24:6c:c5:1a:2e logon 00:00:01 RAP5-Int-House Wired(Remote) 10.20.30.99:0/1 split tunnel 341
137.113.191.249 00:80:a3:63:04:db logon 00:00:01 RAP5-Int-House Wired(Remote) 10.20.30.99:0/2 split tunnel 341

User Entries: 4/4

Also, the following new entries were placed in the log:

Jan 31 15:24:26 :501065: |stm| Get Next/Get Request mac is 00:80:a3:63:04:db
Jan 31 15:25:53 :501065: |stm| Get Next/Get Request mac is 00:80:a3:63:04:db

After another minute or so, the user-table now shows the correct role for the first port:

(GL-Master) #show user-table verbose

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Server Vlan Bwm
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ------ ---- ---
24.125.220.54 00:00:00:00:00:00 logon 05:00:01 VPN N/A default tunnel 1
10.20.30.99 00:00:00:00:00:00 00:0b:86:67:11:3a ap-role 00:00:10 VPN 24.125.220.54 N/A default tunnel Internal 1
137.113.191.45 00:24:6c:c5:1a:2e WLU-Wired-Port-RAP5 00:00:00 RAP5-Int-House Wired(Remote) 10.20.30.99:0/1 WLU-RAP5-Wired-AAA split tunnel 341
137.113.191.249 00:80:a3:63:04:db logon 00:00:05 RAP5-Int-House Wired(Remote) 10.20.30.99:0/2 split tunnel 341

User Entries: 4/4

The funny thing is that both of these roles show a forward of "split tunnel." The "WLU-Wired-Port-RAP5" is not configured for a logon / captive portal.

Any help on this issue is definitely appreciated, thanks!

-Mike
Guru Elite
Posts: 20,781
Registered: ‎03-29-2007

Re: Wired AP access and port-based role derivation

You might want to allow any any ICMP in the ACL so that the controller can ping and NOT age out the wired user. #2 it should be any any any route src-nat, NOT user any route src-nat


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 369
Registered: ‎01-14-2010

Re: Wired AP access and port-based role derivation

Hi Colin,

I will give #1 a try and see what happens. On page 196 - 197 of the 5.0 UG defines a split tunnel connection as:

"user any any route src-nat"

Should I open a TAC ticket and let them know that there's an error in the UG?

Thanks for any help that you can offer!

-Mike
Guru Elite
Posts: 20,781
Registered: ‎03-29-2007

Re: Wired AP access and port-based role derivation

Mike,

I am trying to troubleshoot your situation with limited information and it should be taken as a semi-educated guess, not a rule.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 369
Registered: ‎01-14-2010

Re: Wired AP access and port-based role derivation

Hi Colin,

I made the changes to the split tunneling policy and added the icmp-acl as the first rule for WLU-Wired-Port-RAP5.

The "show user-table verbose" had the connected devices show up as a WLU-Wired-Port-RAP5 role but then went back to the "logon" role after a few minutes.

Here's the most recent output of "show log user-debug all"

Jan 31 22:40:45 :522004: |authmgr| user_miss from RAP:10.20.30.40, (Wired) user IP:137.113.191.249, VLAN:341, BSSID:00:0b:86:67:11:3c:AP:RAP5-Int-House
Jan 31 22:40:45 :522035: |authmgr| MAC=00:80:a3:63:04:db Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=341 AP-name=RAP5-Int-House
Jan 31 22:40:45 :522004: |authmgr| MAC=00:80:a3:63:04:db ingress 0x108c (tunnel 12), u_encr 1, m_encr 1, slotport 0x1002 wired, type: remote, FW mode: 3, AP IP: 10.20.30.40
Jan 31 22:40:45 :522004: |authmgr| no users to cleanup
Jan 31 22:40:45 :522004: |authmgr| station add: Created station with bssid=01:80:c2:00:00:03, valid=1, @=0x108a6f44
Jan 31 22:40:45 :522004: |authmgr| AAA profile for wired user is "WLU-RAP5-Wired-AAA"
Jan 31 22:40:45 :522004: |authmgr| station free: bssid=01:80:c2:00:00:03, valid=1, @=0x108a6f44
Jan 31 22:40:45 :522004: |authmgr| {L3} Update role from WLU-Wired-Port-RAP5 to WLU-Wired-Port-RAP5 for IP=137.113.191.249
Jan 31 22:40:45 :522004: |authmgr| Station inherit: IP=137.113.191.249 start bssid:00:0b:86:67:11:3c essid: port:0x108c (0x108c)
Jan 31 22:40:45 :522004: |authmgr| Adding RAP Wired User (split) 00:80:a3:63:04:db to STM stats tree
Jan 31 22:40:45 :522004: |authmgr| {137.113.191.249} autTable (" Unauthenticated WLU-Wired-Port-RAP5 ")
Jan 31 22:40:45 :522004: |authmgr| rap user : Sending SOS_USER_ACTION_ADD to RAP 137.113.191.249: IP=137.113.191.249, Role: WLU-Wired-Port-RAP5, ACL:88, authtype:0
Jan 31 22:40:45 :522004: |authmgr| 00:80:a3:63:04:db: Sending STM new Role ACL : 88, and Vlan info: 341, action : 0, AP IP: 10.20.30.40, flags : 0
Jan 31 22:41:08 :501065: |stm| Get Next/Get Request mac is 00:80:a3:63:04:db
Jan 31 22:44:33 :522004: |authmgr| AU0(0), HA1, TAP0, PARP0 OIP0 IIP0 INT0 WD1 FW3 DT0
Jan 31 22:44:33 :522004: |authmgr| 00:80:a3:63:04:db: Sending STM new Role ACL : 88, and Vlan info: 341, action : 1, AP IP: 10.20.30.40, flags : 0
Jan 31 22:44:33 :522005: |authmgr| MAC=00:80:a3:63:04:db IP=137.113.191.249 User entry deleted: reason=unknown
Jan 31 22:44:33 :522004: |authmgr| MAC=00:80:a3:63:04:db Send Station delete message to mobility
Jan 31 22:44:33 :522004: |authmgr| Deleting RAP Wired User (3) 00:80:a3:63:04:db from STM stats tree
Jan 31 22:44:33 :522004: |authmgr| user_miss from RAP:10.20.30.40, (Wired) user IP:137.113.191.249, VLAN:341, BSSID:00:0b:86:67:11:3c:AP:RAP5-Int-House
Jan 31 22:44:33 :522035: |authmgr| MAC=00:80:a3:63:04:db Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=341 AP-name=RAP5-Int-House
Jan 31 22:44:33 :522004: |authmgr| MAC=00:80:a3:63:04:db ingress 0x108c (tunnel 12), u_encr 1, m_encr 1, slotport 0x1002 wired, type: remote, FW mode: 3, AP IP: 10.20.30.40
Jan 31 22:44:33 :522004: |authmgr| no users to cleanup
Jan 31 22:44:33 :522004: |authmgr| station add: Created station with bssid=01:80:c2:00:00:03, valid=1, @=0x108ba22c
Jan 31 22:44:33 :522004: |authmgr| AAA profile for wired user is "WLU-RAP5-Wired-AAA"
Jan 31 22:44:33 :522004: |authmgr| station free: bssid=01:80:c2:00:00:03, valid=1, @=0x108ba22c
Jan 31 22:44:33 :522004: |authmgr| MAC=00:80:a3:63:04:db Send Station delete message to mobility
Jan 31 22:44:33 :522006: |authmgr| MAC=00:80:a3:63:04:db IP=137.113.191.249 User entry added: reason=Auth Request
Jan 31 22:44:33 :522004: |authmgr| Station inherit: IP=137.113.191.249 start bssid:00:0b:86:67:11:3c essid: port:0x108c (0x108c)
Jan 31 22:44:33 :522004: |authmgr| Adding RAP Wired User (split) 00:80:a3:63:04:db to STM stats tree
Jan 31 22:44:33 :522004: |authmgr| {137.113.191.249} autTable (" Unauthenticated logon ")
Jan 31 22:44:33 :522004: |authmgr| rap user : Sending SOS_USER_ACTION_ADD to RAP 137.113.191.249: IP=137.113.191.249, Role: logon, ACL:1, authtype:0
Jan 31 22:44:33 :522004: |authmgr| 00:80:a3:63:04:db: Sending STM new Role ACL : 1, and Vlan info: 341, action : 0, AP IP: 10.20.30.40, flags : 0

As always, I really do appreciate your help, thanks!

-Mike
Guru Elite
Posts: 20,781
Registered: ‎03-29-2007

Re: Wired AP access and port-based role derivation

What version of code is this, and is the wired client plugged directly into the ethernet port of the rap, or is there a switch between clients and the A/p wired port?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: