Security

Reply
Frequent Contributor I
Posts: 125
Registered: ‎07-06-2010

User being thrown into a "Cached" vlan instead of role vlan

Not really sure how this has happened, but I have a user that every once in a while gets tossed into a "Cached" vlan that is for our guest accounts, they get an ip from that vlan but oviously have no access to anything because their roles dissalow all access to that vlan....

 

I was able to fix it by blacklisting the client and then removing them from the blacklist...

 

Here is a log snip:

pr 17 13:28:50 authmgr[1652]: <522078> <DBUG> |authmgr| MAC=74:f0:6d:1f:0e:a0, wired: 0, vlan:300 ingress:0x0x1011b (tunnel 283), ingress:0x0x1011b new_aaa_prof: Student-802_1x, stored profile: Student-802_1x stored wired: 0 stored essid: UAstudent, stored-ingress: 0x0x1011b
Apr 17 13:28:50 authmgr[1652]: <522246> <DBUG> |authmgr| Idle timeout should be driven by STM for MAC 74:f0:6d:1f:0e:a0.
Apr 17 13:28:50 authmgr[1652]: <522037> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 IP=0 Assign VLAN 550, Default=300 Current=300 BSSID=00:24:6c:b7:7e:a1
Apr 17 13:28:50 authmgr[1652]: <522044> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 Station authenticate(start): method=802.1x, role=StudentAccess/StudentAccess//guest, VLAN=300/300/550/0/550/550, Derivation=2/2, Value Pair=0
Apr 17 13:28:50 authmgr[1652]: <522127> <DBUG> |authmgr| {L2} Update role from StudentAccess to StudentAccess for IP=0.0.0.0.
Apr 17 13:28:50 authmgr[1652]: <522049> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0,IP=N/A User role updated, existing Role=StudentAccess/StudentAccess, new Role=StudentAccess/StudentAccess, reason=Station Authenticated with auth type: 4
Apr 17 13:28:50 authmgr[1652]: <522128> <DBUG> |authmgr| download-L2: acl=70/0 role=StudentAccess, tunl=0x0x1011b, PA=0, HA=1, RO=0, VPN=0.
Apr 17 13:28:50 authmgr[1652]: <522050> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0,IP=N/A User data downloaded to datapath, new Role=StudentAccess/70, bw Contract=0/0,reason=Download driven by user role setting
Apr 17 13:28:50 authmgr[1652]: <522158> <DBUG> |authmgr| station Authenticate is using cached vlan 550.
Apr 17 13:28:50 authmgr[1652]: <522161> <DBUG> |authmgr| Valid Dot1xct, remote:0, assigned:550, default:300, current:300,termstate:0, wired:0, dot1x enabled:1, psk:0 static:0 bssid=00:24:6c:b7:7e:a1.
Apr 17 13:28:50 authmgr[1652]: <522095> <DBUG> |authmgr| 74:f0:6d:1f:0e:a0: Sending STM new vlan info: vlan 550, AP 00:24:6c:b7:7e:a1 caller station_authenticate
Apr 17 13:28:50 authmgr[1652]: <522029> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 Station authenticate: method=802.1x, role=StudentAccess/StudentAccess//guest, VLAN=300/550/550/0/550/550, Derivation=2/2, Value Pair=0
Apr 17 13:28:50 authmgr[1652]: <522008> <NOTI> |authmgr| User Authentication Successful: username=URSULINESTL\13_EKozeny MAC=74:f0:6d:1f:0e:a0 IP=10.200.0.14 role=StudentAccess VLAN=550 AP=00:24:6c:c3:77:ea SSID=UAstudent AAA profile=Student-802_1x auth method=802.1x auth server=cloud-ad2
Apr 17 13:28:50 authmgr[1652]: <522243> <DBUG> |authmgr| MAC=74:f0:6d:1f:0e:a0 Station Updated Update MMS: BSSID=00:24:6c:b7:7e:a1 ESSID=UAstudent VLAN=300 AP-name=00:24:6c:c3:77:ea
Apr 17 13:28:50 authmgr[1652]: <522038> <INFO> |authmgr| username=XXXXXXXXXX\USERNAME MAC=74:f0:6d:1f:0e:a0 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=cloud-ad2
Apr 17 13:28:50 authmgr[1652]: <522044> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 Station authenticate(start): method=802.1x, role=StudentAccess/StudentAccess//guest, VLAN=300/550/550/0/550/550, Derivation=2/2, Value Pair=1
Apr 17 13:28:50 authmgr[1652]: <522017> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 IP=?? Derived role 'StudentAccess' from server rules: server-group=StudentGroup, authentication=802.1x
Apr 17 13:28:50 authmgr[1652]: <522127> <DBUG> |authmgr| {L2} Update role from StudentAccess to StudentAccess for IP=0.0.0.0.
Apr 17 13:28:50 authmgr[1652]: <522049> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0,IP=N/A User role updated, existing Role=StudentAccess/StudentAccess, new Role=StudentAccess/StudentAccess, reason=Station Authenticated with auth type: 4
Apr 17 13:28:50 authmgr[1652]: <522128> <DBUG> |authmgr| download-L2: acl=70/0 role=StudentAccess, tunl=0x0x1011b, PA=0, HA=1, RO=0, VPN=0.
Apr 17 13:28:50 authmgr[1652]: <522050> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0,IP=N/A User data downloaded to datapath, new Role=StudentAccess/70, bw Contract=0/0,reason=Download driven by user role setting
Apr 17 13:28:50 authmgr[1652]: <522158> <DBUG> |authmgr| station Authenticate is using cached vlan 550.

Guru Elite
Posts: 19,984
Registered: ‎03-29-2007

Re: User being thrown into a "Cached" vlan instead of role vlan

What version of ArubaOS is this?

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor I
Posts: 125
Registered: ‎07-06-2010

Re: User being thrown into a "Cached" vlan instead of role vlan

6.2.0.2

 

Guru Elite
Posts: 19,984
Registered: ‎03-29-2007

Re: User being thrown into a "Cached" vlan instead of role vlan

- How is authentication done...802.1x, I assume?

- What is the Virtual AP vlan and does it differ from the student role Vlan?

- What is the initial role for the AAA profile and does it have a Vlan in that role?

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor I
Posts: 125
Registered: ‎07-06-2010

Re: User being thrown into a "Cached" vlan instead of role vlan


cjoseph wrote:

- How is authentication done...802.1x, I assume?

- What is the Virtual AP vlan and does it differ from the student role Vlan?

- What is the initial role for the AAA profile and does it have a Vlan in that role?

 


802.1x, PEAP

VAP vlan is the same as student role

the initial role is the Guest and that is on the 550 vlan. 

 

I have only seen this happen 2 or three times, but all with the same user.

Guru Elite
Posts: 19,984
Registered: ‎03-29-2007

Re: User being thrown into a "Cached" vlan instead of role vlan

Change the initial role to the 802.1x role.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor I
Posts: 125
Registered: ‎07-06-2010

Re: User being thrown into a "Cached" vlan instead of role vlan

would that allow a non-authenticated user to get the initial role?  Or will it always wait for the 802.1x transaction to take place?

Guru Elite
Posts: 19,984
Registered: ‎03-29-2007

Re: User being thrown into a "Cached" vlan instead of role vlan

A user must pass 802.1x authentication to pass any traffic.  We are putting the initial role as the authenticated role to deal with your outlier.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor I
Posts: 125
Registered: ‎07-06-2010

Re: User being thrown into a "Cached" vlan instead of role vlan

Can you think of a reason on why this is happening with this one user?

Guru Elite
Posts: 19,984
Registered: ‎03-29-2007

Re: User being thrown into a "Cached" vlan instead of role vlan

No.  Support would have to take a look at all of your logs to determine that.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: