Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎12-08-2009

Problems with role derivation in 802.1X authentication on a remote AP

[ Edited ]

Hi,

 

On a remote site of our university, I'm trying to deploy a remote AP with the same SSIDs as we have on our central site.

 

One SSID is based on captive portal authentication. Students or staff connecting to this SSID get a simple web access.

The forward mode is tunnel, and the operation mode is standard.

 

The second SSID is based on 802.1X authentication, with roles derivation rules set up on the Server Group Profile.

The rules fixes the user role according to the value of an attribute sent by a radius server during authentication:

- if the attribute equals to "student", the role for the user is set to student-role.

- if the attribute equals to "staff", the role is set to staff-role.

In this case, the user gets more or less privileges according to his status (staff or student).

 

For each role, a different role VLAN ID is set, so that the user is placed in the proper VLAN to get his IP address.

- staff-role, vlan ID = 8,

- student-role, vlan ID = 10.

 

 

The forward mode setting for this VAP is bridge mode, and its operation mode is persistent. In case of a failure with our main controller, the connected users can still work on their local IT resources.

Both VLAN IDs 8 and 10 are set in the VAP Vlans.

The corresponding AP system profile for the RAP has the native vlan set to 4, which is the vlan on the remote site where all network equipments are placed in.

The port of the switch on which The RAP is plugged is configured as a trunk for vlan 8 and 10, with native vlan set to 4.

 

When a user from the staff tries to connect to this SSID, he gets the correct role for the derivation rules: staff-role.

However, the IP address the user gets is from the student vlan, which I don't understand why.

I've checked the configuration, and I don't see any reference of vlan 10 linked to staff-role.

 

Any idea?

 

The Aruba OS is 5.0.4.13.

 

Thanks for your help.

 

Sylvain

 

MVP
Posts: 562
Registered: ‎11-28-2011

Re: Problems with role derivation in 802.1X authentication on a remote AP

I assume the a student user works as expected?

 

With your staff user in this state (I.e. in the wrong subnet/vlan), do a "show user ip X.X.X.X" at the command line (where X.X.X.X is that user's IP).

 

Look for a line in the output like "Vlan default: 1234, Assigned: 1234, Current: 1234 vlan-how: 1 DP assigned vlan:0".

 

What does this show?

 

If that output also looks wrong, I think it's worth running a aaa-debug on the authentication to see what attributes are returned from the server. Just to be sure.

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Problems with role derivation in 802.1X authentication on a remote AP

Support for Bridge Mode VLAN derivation began in ArubaOS 6.1 and above:  It is not supported in your version of ArubaOS.  Attached are the 6.1 release notes.

 

derivation.PNG



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 562
Registered: ‎11-28-2011

Re: Problems with role derivation in 802.1X authentication on a remote AP

What an excellent point CJ! v5 is a bit old, as is my memory of it clearly!

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Occasional Contributor I
Posts: 7
Registered: ‎12-08-2009

Re: Problems with role derivation in 802.1X authentication on a remote AP

Thanks for your reply.

 

I shall be patient, we will be normally upgrading to version 6 this year.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: