Security

Reply
Frequent Contributor I

User being thrown into a "Cached" vlan instead of role vlan

Not really sure how this has happened, but I have a user that every once in a while gets tossed into a "Cached" vlan that is for our guest accounts, they get an ip from that vlan but oviously have no access to anything because their roles dissalow all access to that vlan....

 

I was able to fix it by blacklisting the client and then removing them from the blacklist...

 

Here is a log snip:

pr 17 13:28:50 authmgr[1652]: <522078> <DBUG> |authmgr| MAC=74:f0:6d:1f:0e:a0, wired: 0, vlan:300 ingress:0x0x1011b (tunnel 283), ingress:0x0x1011b new_aaa_prof: Student-802_1x, stored profile: Student-802_1x stored wired: 0 stored essid: UAstudent, stored-ingress: 0x0x1011b
Apr 17 13:28:50 authmgr[1652]: <522246> <DBUG> |authmgr| Idle timeout should be driven by STM for MAC 74:f0:6d:1f:0e:a0.
Apr 17 13:28:50 authmgr[1652]: <522037> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 IP=0 Assign VLAN 550, Default=300 Current=300 BSSID=00:24:6c:b7:7e:a1
Apr 17 13:28:50 authmgr[1652]: <522044> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 Station authenticate(start): method=802.1x, role=StudentAccess/StudentAccess//guest, VLAN=300/300/550/0/550/550, Derivation=2/2, Value Pair=0
Apr 17 13:28:50 authmgr[1652]: <522127> <DBUG> |authmgr| {L2} Update role from StudentAccess to StudentAccess for IP=0.0.0.0.
Apr 17 13:28:50 authmgr[1652]: <522049> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0,IP=N/A User role updated, existing Role=StudentAccess/StudentAccess, new Role=StudentAccess/StudentAccess, reason=Station Authenticated with auth type: 4
Apr 17 13:28:50 authmgr[1652]: <522128> <DBUG> |authmgr| download-L2: acl=70/0 role=StudentAccess, tunl=0x0x1011b, PA=0, HA=1, RO=0, VPN=0.
Apr 17 13:28:50 authmgr[1652]: <522050> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0,IP=N/A User data downloaded to datapath, new Role=StudentAccess/70, bw Contract=0/0,reason=Download driven by user role setting
Apr 17 13:28:50 authmgr[1652]: <522158> <DBUG> |authmgr| station Authenticate is using cached vlan 550.
Apr 17 13:28:50 authmgr[1652]: <522161> <DBUG> |authmgr| Valid Dot1xct, remote:0, assigned:550, default:300, current:300,termstate:0, wired:0, dot1x enabled:1, psk:0 static:0 bssid=00:24:6c:b7:7e:a1.
Apr 17 13:28:50 authmgr[1652]: <522095> <DBUG> |authmgr| 74:f0:6d:1f:0e:a0: Sending STM new vlan info: vlan 550, AP 00:24:6c:b7:7e:a1 caller station_authenticate
Apr 17 13:28:50 authmgr[1652]: <522029> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 Station authenticate: method=802.1x, role=StudentAccess/StudentAccess//guest, VLAN=300/550/550/0/550/550, Derivation=2/2, Value Pair=0
Apr 17 13:28:50 authmgr[1652]: <522008> <NOTI> |authmgr| User Authentication Successful: username=URSULINESTL\13_EKozeny MAC=74:f0:6d:1f:0e:a0 IP=10.200.0.14 role=StudentAccess VLAN=550 AP=00:24:6c:c3:77:ea SSID=UAstudent AAA profile=Student-802_1x auth method=802.1x auth server=cloud-ad2
Apr 17 13:28:50 authmgr[1652]: <522243> <DBUG> |authmgr| MAC=74:f0:6d:1f:0e:a0 Station Updated Update MMS: BSSID=00:24:6c:b7:7e:a1 ESSID=UAstudent VLAN=300 AP-name=00:24:6c:c3:77:ea
Apr 17 13:28:50 authmgr[1652]: <522038> <INFO> |authmgr| username=XXXXXXXXXX\USERNAME MAC=74:f0:6d:1f:0e:a0 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=cloud-ad2
Apr 17 13:28:50 authmgr[1652]: <522044> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 Station authenticate(start): method=802.1x, role=StudentAccess/StudentAccess//guest, VLAN=300/550/550/0/550/550, Derivation=2/2, Value Pair=1
Apr 17 13:28:50 authmgr[1652]: <522017> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 IP=?? Derived role 'StudentAccess' from server rules: server-group=StudentGroup, authentication=802.1x
Apr 17 13:28:50 authmgr[1652]: <522127> <DBUG> |authmgr| {L2} Update role from StudentAccess to StudentAccess for IP=0.0.0.0.
Apr 17 13:28:50 authmgr[1652]: <522049> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0,IP=N/A User role updated, existing Role=StudentAccess/StudentAccess, new Role=StudentAccess/StudentAccess, reason=Station Authenticated with auth type: 4
Apr 17 13:28:50 authmgr[1652]: <522128> <DBUG> |authmgr| download-L2: acl=70/0 role=StudentAccess, tunl=0x0x1011b, PA=0, HA=1, RO=0, VPN=0.
Apr 17 13:28:50 authmgr[1652]: <522050> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0,IP=N/A User data downloaded to datapath, new Role=StudentAccess/70, bw Contract=0/0,reason=Download driven by user role setting
Apr 17 13:28:50 authmgr[1652]: <522158> <DBUG> |authmgr| station Authenticate is using cached vlan 550.

Guru Elite

Re: User being thrown into a "Cached" vlan instead of role vlan

What version of ArubaOS is this?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Frequent Contributor I

Re: User being thrown into a "Cached" vlan instead of role vlan

6.2.0.2

 

Guru Elite

Re: User being thrown into a "Cached" vlan instead of role vlan

- How is authentication done...802.1x, I assume?

- What is the Virtual AP vlan and does it differ from the student role Vlan?

- What is the initial role for the AAA profile and does it have a Vlan in that role?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Frequent Contributor I

Re: User being thrown into a "Cached" vlan instead of role vlan


cjoseph wrote:

- How is authentication done...802.1x, I assume?

- What is the Virtual AP vlan and does it differ from the student role Vlan?

- What is the initial role for the AAA profile and does it have a Vlan in that role?

 


802.1x, PEAP

VAP vlan is the same as student role

the initial role is the Guest and that is on the 550 vlan. 

 

I have only seen this happen 2 or three times, but all with the same user.

Guru Elite

Re: User being thrown into a "Cached" vlan instead of role vlan

Change the initial role to the 802.1x role.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Frequent Contributor I

Re: User being thrown into a "Cached" vlan instead of role vlan

would that allow a non-authenticated user to get the initial role?  Or will it always wait for the 802.1x transaction to take place?

Guru Elite

Re: User being thrown into a "Cached" vlan instead of role vlan

A user must pass 802.1x authentication to pass any traffic.  We are putting the initial role as the authenticated role to deal with your outlier.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Frequent Contributor I

Re: User being thrown into a "Cached" vlan instead of role vlan

Can you think of a reason on why this is happening with this one user?

Guru Elite

Re: User being thrown into a "Cached" vlan instead of role vlan

No.  Support would have to take a look at all of your logs to determine that.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: