Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Derived VLAN 2 from Tunnel attributes

This thread has been viewed 0 times

  • 1.  Derived VLAN 2 from Tunnel attributes

    Posted Jun 19, 2012 07:49 AM

    Hi

     

    We have seen in show log user-deubg that  role is derived unconfigured vlan2 during mac-authentication for some reasons.

    Our radius just return vlan number with filter-id.

    vlan2 is not configured anything in the controller, switch and Radius server.

    I can't find any vlan 2 in radius pakcet field in capture.

     

    Do anyone know what vlan 2 is?

    I think this is one reason for user to fail mac authentication.

     

    Regards

    Simon

     

     

    May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=100 AP-name=
    May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 ingress 0x1042 (1/2), u_encr 1, m_encr 1, slotport 0x1042 wired, type: local, FW mode: 0, AP IP: 0.0.0.0
    May 30 08:44:10 station add: Created station with bssid=01:80:c2:00:00:03, valid=1, @=0x10bc18fc
    May 30 08:44:10 AAA profile for wired user is "testSSID-aaa_prof"
    May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 IP=0.0.0.0:  MAC auth start: entry-type=L2, bssid=01:80:c2:00:00:03, essid=  sg=TestSSID
    May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 IP=0.0.0.0 Authentication result=Authentication Successful method=MAC server=NS1
    May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 IP=0.0.0.0: MAC auth success: entry-type=L2, bssid=01:80:c2:00:00:03
    May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 Station authenticate(start): method=MAC, role=logon//, VLAN=100/100/0/0/0, Derivation=0/0, Value Pair=1
    May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 IP=0.0.0.0 Derived role 'v40_Silent' from server rules: server-group=TestSSID, authentication=MAC
    May 30 08:44:10 {L2} Update role from logon to v40_Silent for IP=0.0.0.0
    May 30 08:44:10 download: ip=0.0.0.0 acl=62/0 role=v40_Silent, Ubwm=0, Dbwm=0 tunl=0x1042, PA=0, HA=1, RO=0, VPN=0
    May 30 08:44:10 Station authenticate has l2 role :v40_Silent default role logon logon role logon
    May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 IP=0.0.0.0 Derived VLAN 2 from Tunnel attributes
    May 30 08:44:10 Station authenticate has derived a new  vlan 40
    May 30 08:44:10 Valid Dot1xct, remote:0, assigned:40, default:100,current:100,termstate:0, wired:1,dot1x enabled:1, psk:0 static:0 bssid=01:80:c2:00:00:03
    May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 Station authenticate: method=MAC, role=v40_Silent//, VLAN=100/40/40/0/0, Derivation=2/5, Value Pair=1
    May 30 08:44:10 {0.0.0.0} autTable ("0019xxxx1FA7 Authenticated MAC v40_Silent ")



  • 2.  RE: Derived VLAN 2 from Tunnel attributes
    Best Answer

    Posted Jun 20, 2012 03:15 AM

    This is a display issue and this is nothing to do with MAC-AUTH failure. we are already tracking this issue as a BUG internally.

    You can see that VLAN for that user will be getting derived (vlan-40) correctly after successful authetnication.

     

    "Station authenticate has derived a new  vlan 40"



  • 3.  RE: Derived VLAN 2 from Tunnel attributes
    Best Answer

    Posted Jun 21, 2012 04:37 AM

    thanks for good information!