Security

Reply
Contributor I

Derived VLAN 2 from Tunnel attributes

Hi

 

We have seen in show log user-deubg that  role is derived unconfigured vlan2 during mac-authentication for some reasons.

Our radius just return vlan number with filter-id.

vlan2 is not configured anything in the controller, switch and Radius server.

I can't find any vlan 2 in radius pakcet field in capture.

 

Do anyone know what vlan 2 is?

I think this is one reason for user to fail mac authentication.

 

Regards

Simon

 

 

May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=100 AP-name=
May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 ingress 0x1042 (1/2), u_encr 1, m_encr 1, slotport 0x1042 wired, type: local, FW mode: 0, AP IP: 0.0.0.0
May 30 08:44:10 station add: Created station with bssid=01:80:c2:00:00:03, valid=1, @=0x10bc18fc
May 30 08:44:10 AAA profile for wired user is "testSSID-aaa_prof"
May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 IP=0.0.0.0:  MAC auth start: entry-type=L2, bssid=01:80:c2:00:00:03, essid=  sg=TestSSID
May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 IP=0.0.0.0 Authentication result=Authentication Successful method=MAC server=NS1
May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 IP=0.0.0.0: MAC auth success: entry-type=L2, bssid=01:80:c2:00:00:03
May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 Station authenticate(start): method=MAC, role=logon//, VLAN=100/100/0/0/0, Derivation=0/0, Value Pair=1
May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 IP=0.0.0.0 Derived role 'v40_Silent' from server rules: server-group=TestSSID, authentication=MAC
May 30 08:44:10 {L2} Update role from logon to v40_Silent for IP=0.0.0.0
May 30 08:44:10 download: ip=0.0.0.0 acl=62/0 role=v40_Silent, Ubwm=0, Dbwm=0 tunl=0x1042, PA=0, HA=1, RO=0, VPN=0
May 30 08:44:10 Station authenticate has l2 role :v40_Silent default role logon logon role logon
May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 IP=0.0.0.0 Derived VLAN 2 from Tunnel attributes
May 30 08:44:10 Station authenticate has derived a new  vlan 40
May 30 08:44:10 Valid Dot1xct, remote:0, assigned:40, default:100,current:100,termstate:0, wired:1,dot1x enabled:1, psk:0 static:0 bssid=01:80:c2:00:00:03
May 30 08:44:10 MAC=00:19:xx:xx:1f:a7 Station authenticate: method=MAC, role=v40_Silent//, VLAN=100/40/40/0/0, Derivation=2/5, Value Pair=1
May 30 08:44:10 {0.0.0.0} autTable ("0019xxxx1FA7 Authenticated MAC v40_Silent ")

Aruba Employee

Re: Derived VLAN 2 from Tunnel attributes

This is a display issue and this is nothing to do with MAC-AUTH failure. we are already tracking this issue as a BUG internally.

You can see that VLAN for that user will be getting derived (vlan-40) correctly after successful authetnication.

 

"Station authenticate has derived a new  vlan 40"

Contributor I

Re: Derived VLAN 2 from Tunnel attributes

thanks for good information!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: