Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎10-16-2012

Role Derivation when using MAC Auth + 802.1x Auth

Running the 6.2 AOS code, I want to use both MAC and 802.1x authentication so that if the client fails either one then they are placed into a particular role (say 'registration' for example).  If they pass both, then they are placed in another.  They will be authenticating against a separate RADIUS server for MAC and 802.1x but the roles will not be derived from the servers.  Is this possible and what would be the best way of implementing it?

Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: Role Derivation when using MAC Auth + 802.1x Auth


Daniel K wrote:

Running the 6.2 AOS code, I want to use both MAC and 802.1x authentication so that if the client fails either one then they are placed into a particular role (say 'registration' for example).  If they pass both, then they are placed in another.  They will be authenticating against a separate RADIUS server for MAC and 802.1x but the roles will not be derived from the servers.  Is this possible and what would be the best way of implementing it?


If your client fails 802.1x authentication, which is required to gain access to the network, the client will not be able to gain access, no matter the circumstance.

 

In the AAA profile, you can enable l2 failthrough, where if mac authentication is failed, but 802.1x is passed, the client will gain access, but his/her role will be the 802.1x role in the AAA profile.  If a client passes both, the client will gain access and the default mac authentication role will be applied to the client.  If l2 faithrough is disabled in the AAA profile, 802.1x is passed and mac authentication has failed, the client will NOT gain access to the network, period.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎10-16-2012

Re: Role Derivation when using MAC Auth + 802.1x Auth

Ah, I was unsure about that.  I still seem to be unable to place a client under the correct conditions to receive the default mac authentication role.  Even with l2 failthrough enabled, they pass mac and 802.1x authentication then receive the 802.1x default role.

Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: Role Derivation when using MAC Auth + 802.1x Auth

Turn on client debugging and paste in the log here:

 

config t

logging level debug user

show log user 50

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎10-16-2012

Re: Role Derivation when using MAC Auth + 802.1x Auth

Sep 5 18:12:19 :522083:  <DBUG> |authmgr|  Skip User-Derivation, mba:1 udr_exist:0,default_role:logon,pDefRole:0x0x109933f4

Sep 5 18:12:19 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:00:19:e3:d5:8d:ba, pmkid_present:False, pmkid:N/A

Sep 5 18:12:19 :522096:  <DBUG> |authmgr|  00:19:e3:d5:8d:ba: Sending STM new Role ACL : 50, and Vlan info: 33, action : 10, AP IP: 192.168.0.38, flags : 0

Sep 5 18:12:19 :522243:  <DBUG> |authmgr|  MAC=00:19:e3:d5:8d:ba Station Updated Update MMS: BSSID=00:0b:86:b4:47:30 ESSID=Test VLAN=33 AP-name=Rap2WG.RAP

Sep 5 18:12:19 :501095:  <NOTI> |AP Rap2WG.RAP@192.168.0.38 stm|  Assoc request @ 18:12:19.829095: 00:19:e3:d5:8d:ba (SN 3898): AP 192.168.0.38-00:0b:86:b4:47:30-Rap2WG.RAP

Sep 5 18:12:19 :501065:  <DBUG> |AP Rap2WG.RAP@192.168.0.38 stm|  handle_assoc_req:4241: mcast_encr(0x00000040), ucast_encr(0x00000040)

Sep 5 18:12:19 :501100:  <NOTI> |AP Rap2WG.RAP@192.168.0.38 stm|  Assoc success @ 18:12:19.841060: 00:19:e3:d5:8d:ba: AP 192.168.0.38-00:0b:86:b4:47:30-Rap2WG.RAP

Sep 5 18:12:19 :501065:  <DBUG> |AP Rap2WG.RAP@192.168.0.38 stm|  handle_assoc_req:5331 - send response to client

Sep 5 18:12:20 :522207:  <DBUG> |authmgr|  MS-CHAPV2 authenticate user dannyk

Sep 5 18:12:20 :522038:  <INFO> |authmgr|  username=dannyk MAC=00:19:e3:d5:8d:ba IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=RadiusServer2

Sep 5 18:12:20 :522044:  <INFO> |authmgr|  MAC=00:19:e3:d5:8d:ba Station authenticate(start): method=802.1x, role=RemoteUser/RemoteUser//logon, VLAN=33/33/33/0/0/0, Derivation=1/0, Value Pair=1

Sep 5 18:12:20 :522136:  <DBUG> |authmgr|  {L2} RemoteUser from profile \"RAP-Wireless\".

Sep 5 18:12:20 :522127:  <DBUG> |authmgr|  {L2} Update role from RemoteUser to RemoteUser for IP=0.0.0.0.

Sep 5 18:12:20 :522049:  <INFO> |authmgr|  MAC=00:19:e3:d5:8d:ba,IP=N/A User role updated, existing Role=RemoteUser/RemoteUser, new Role=RemoteUser/RemoteUser, reason=Station Authenticated with auth type: 4

Sep 5 18:12:20 :522159:  <DBUG> |authmgr|  Station authenticate has l2 role :RemoteUser default role logon logon role logon.

Sep 5 18:12:20 :522161:  <DBUG> |authmgr|  Valid Dot1xct, remote:1, assigned:33, default:33, current:33,termstate:8, wired:0, dot1x enabled:1, psk:0 static:0 bssid=00:0b:86:b4:47:30.

Sep 5 18:12:20 :522029:  <INFO> |authmgr|  MAC=00:19:e3:d5:8d:ba Station authenticate: method=802.1x, role=RemoteUser/RemoteUser//logon, VLAN=33/33/33/0/0/0, Derivation=1/0, Value Pair=1

Sep 5 18:12:20 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=dannyk MAC=00:19:e3:d5:8d:ba IP=10.33.0.95 role=RemoteUser VLAN=33 AP=Rap2WG.RAP SSID=Test AAA profile=RAP-Wireless auth method=802.1x auth server=RadiusServer2

Sep 5 18:12:20 :522053:  <DBUG> |authmgr|  PMK Cache getting updated for 00:19:e3:d5:8d:ba, (def, cur, assigned) = (33, 33, 33) with vlan=0 vlanhow=0 essid=Test role=RemoteUser

Sep 5 18:12:20 :524037:  <DBUG> |authmgr|  wpa2_tx_eapolkey_mesg1: sending key1 11r (0) xsec(0)

Sep 5 18:12:20 :524041:  <DBUG> |authmgr|  wpa2_tx_eapolkey_mesg3 :FT mesg3 copied gtk, len=22 data len=46

Sep 5 18:12:21 :524121:  <DBUG> |authmgr|  Derived VLAN for the user is 33.

Sep 5 18:12:23 :522233:  <DBUG> |authmgr|  DHCP ACK seen for ac:81:12:3d:53:c4.

Sep 5 18:12:23 :522211:  <DBUG> |authmgr|  DHCP assigned address and server address updated for ac:81:12:3d:53:c4 10.91.0.1 10.91.0.1.

Sep 5 18:12:24 :522233:  <DBUG> |authmgr|  DHCP ACK seen for 00:19:e3:d5:8d:ba.

Sep 5 18:12:24 :522211:  <DBUG> |authmgr|  DHCP assigned address and server address updated for 00:19:e3:d5:8d:ba 10.51.0.17 10.51.0.17.

Sep 5 18:12:24 :522143:  <DBUG> |authmgr|  user_miss from RAP:192.168.0.38, (Wireless) user IP:10.33.0.95, VLAN:33, BSSID:00:0b:86:b4:47:30:AP:Rap2WG.RAP.

Sep 5 18:12:24 :522169:  <DBUG> |authmgr|  Station inherit: IP=10.33.0.95 start bssid:00:0b:86:b4:47:30 essid: Test port:0x0x200d (0x0x200d).

Sep 5 18:12:24 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=dannyk MAC=00:19:e3:d5:8d:ba IP=10.33.0.95 role=RemoteUser VLAN=33 AP=Rap2WG.RAP SSID=Test AAA profile=RAP-Wireless auth method=802.1x auth server=RadiusServer2

Sep 5 18:12:24 :522171:  <DBUG> |authmgr|  station inherit IP=10.33.0.95 bssid:00:0b:86:b4:47:30 essid: Test auth:1 type:802.1x role:RemoteUser port:0x0x200d.

Sep 5 18:12:24 :522147:  <DBUG> |authmgr|  rap user : Sending SOS_USER_ACTION_ADD to RAP 10.33.0.95: IP=10.33.0.95, Role: RemoteUser, ACL:50, authtype:4.

Sep 5 18:12:24 :522096:  <DBUG> |authmgr|  00:19:e3:d5:8d:ba: Sending STM new Role ACL : 50, and Vlan info: 33, action : 18, AP IP: 192.168.0.38, flags : 0

Sep 5 18:12:24 :522143:  <DBUG> |authmgr|  user_miss from RAP:192.168.0.38, (Wireless) user IP:10.33.0.95, VLAN:33, BSSID:00:0b:86:b4:47:30:AP:Rap2WG.RAP.

Sep 5 18:12:24 :522169:  <DBUG> |authmgr|  Station inherit: IP=10.33.0.95 start bssid:00:0b:86:b4:47:30 essid: Test port:0x0x200d (0x0x200d).

Sep 5 18:12:24 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=dannyk MAC=00:19:e3:d5:8d:ba IP=10.33.0.95 role=RemoteUser VLAN=33 AP=Rap2WG.RAP SSID=Test AAA profile=RAP-Wireless auth method=802.1x auth server=RadiusServer2

Sep 5 18:12:24 :522171:  <DBUG> |authmgr|  station inherit IP=10.33.0.95 bssid:00:0b:86:b4:47:30 essid: Test auth:1 type:802.1x role:RemoteUser port:0x0x200d.

Sep 5 18:12:24 :522147:  <DBUG> |authmgr|  rap user : Sending SOS_USER_ACTION_ADD to RAP 10.33.0.95: IP=10.33.0.95, Role: RemoteUser, ACL:50, authtype:4.

Sep 5 18:12:24 :522096:  <DBUG> |authmgr|  00:19:e3:d5:8d:ba: Sending STM new Role ACL : 50, and Vlan info: 33, action : 18, AP IP: 192.168.0.38, flags : 0

Sep 5 18:12:24 :522143:  <DBUG> |authmgr|  user_miss from RAP:192.168.0.38, (Wireless) user IP:10.33.0.95, VLAN:33, BSSID:00:0b:86:b4:47:30:AP:Rap2WG.RAP.

Sep 5 18:12:24 :522169:  <DBUG> |authmgr|  Station inherit: IP=10.33.0.95 start bssid:00:0b:86:b4:47:30 essid: Test port:0x0x200d (0x0x200d).

Sep 5 18:12:24 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=dannyk MAC=00:19:e3:d5:8d:ba IP=10.33.0.95 role=RemoteUser VLAN=33 AP=Rap2WG.RAP SSID=Test AAA profile=RAP-Wireless auth method=802.1x auth server=RadiusServer2

Sep 5 18:12:24 :522171:  <DBUG> |authmgr|  station inherit IP=10.33.0.95 bssid:00:0b:86:b4:47:30 essid: Test auth:1 type:802.1x role:RemoteUser port:0x0x200d.

Sep 5 18:12:24 :522147:  <DBUG> |authmgr|  rap user : Sending SOS_USER_ACTION_ADD to RAP 10.33.0.95: IP=10.33.0.95, Role: RemoteUser, ACL:50, authtype:4.

Sep 5 18:12:24 :522096:  <DBUG> |authmgr|  00:19:e3:d5:8d:ba: Sending STM new Role ACL : 50, and Vlan info: 33, action : 18, AP IP: 192.168.0.38, flags : 0

Sep 5 18:12:24 :522143:  <DBUG> |authmgr|  user_miss from RAP:192.168.0.38, (Wireless) user IP:10.33.0.95, VLAN:33, BSSID:00:0b:86:b4:47:30:AP:Rap2WG.RAP.

Sep 5 18:12:24 :522169:  <DBUG> |authmgr|  Station inherit: IP=10.33.0.95 start bssid:00:0b:86:b4:47:30 essid: Test port:0x0x200d (0x0x200d).

Sep 5 18:12:24 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=dannyk MAC=00:19:e3:d5:8d:ba IP=10.33.0.95 role=RemoteUser VLAN=33 AP=Rap2WG.RAP SSID=Test AAA profile=RAP-Wireless auth method=802.1x auth server=RadiusServer2

Sep 5 18:12:24 :522171:  <DBUG> |authmgr|  station inherit IP=10.33.0.95 bssid:00:0b:86:b4:47:30 essid: Test auth:1 type:802.1x role:RemoteUser port:0x0x200d.

Sep 5 18:12:24 :522147:  <DBUG> |authmgr|  rap user : Sending SOS_USER_ACTION_ADD to RAP 10.33.0.95: IP=10.33.0.95, Role: RemoteUser, ACL:50, authtype:4.

Sep 5 18:12:24 :522096:  <DBUG> |authmgr|  00:19:e3:d5:8d:ba: Sending STM new Role ACL : 50, and Vlan info: 33, action : 18, AP IP: 192.168.0.38, flags : 0

Aruba Employee
Posts: 13
Registered: ‎12-08-2011

Re: Role Derivation when using MAC Auth + 802.1x Auth

For wireless client authentication : you cant retain user-roles derived during MAC-auth , if dot1x-authentication is done.

User-roles derived during dot1x authentication will override the mac-auth derivation, User-derivation-rules (non dhcp-option), initial-role.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: