Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

User being thrown into a "Cached" vlan instead of role vlan

This thread has been viewed 0 times

  • 1.  User being thrown into a "Cached" vlan instead of role vlan

    Posted Apr 17, 2013 02:41 PM

    Not really sure how this has happened, but I have a user that every once in a while gets tossed into a "Cached" vlan that is for our guest accounts, they get an ip from that vlan but oviously have no access to anything because their roles dissalow all access to that vlan....

     

    I was able to fix it by blacklisting the client and then removing them from the blacklist...

     

    Here is a log snip:

    pr 17 13:28:50 authmgr[1652]: <522078> <DBUG> |authmgr| MAC=74:f0:6d:1f:0e:a0, wired: 0, vlan:300 ingress:0x0x1011b (tunnel 283), ingress:0x0x1011b new_aaa_prof: Student-802_1x, stored profile: Student-802_1x stored wired: 0 stored essid: UAstudent, stored-ingress: 0x0x1011b
    Apr 17 13:28:50 authmgr[1652]: <522246> <DBUG> |authmgr| Idle timeout should be driven by STM for MAC 74:f0:6d:1f:0e:a0.
    Apr 17 13:28:50 authmgr[1652]: <522037> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 IP=0 Assign VLAN 550, Default=300 Current=300 BSSID=00:24:6c:b7:7e:a1
    Apr 17 13:28:50 authmgr[1652]: <522044> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 Station authenticate(start): method=802.1x, role=StudentAccess/StudentAccess//guest, VLAN=300/300/550/0/550/550, Derivation=2/2, Value Pair=0
    Apr 17 13:28:50 authmgr[1652]: <522127> <DBUG> |authmgr| {L2} Update role from StudentAccess to StudentAccess for IP=0.0.0.0.
    Apr 17 13:28:50 authmgr[1652]: <522049> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0,IP=N/A User role updated, existing Role=StudentAccess/StudentAccess, new Role=StudentAccess/StudentAccess, reason=Station Authenticated with auth type: 4
    Apr 17 13:28:50 authmgr[1652]: <522128> <DBUG> |authmgr| download-L2: acl=70/0 role=StudentAccess, tunl=0x0x1011b, PA=0, HA=1, RO=0, VPN=0.
    Apr 17 13:28:50 authmgr[1652]: <522050> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0,IP=N/A User data downloaded to datapath, new Role=StudentAccess/70, bw Contract=0/0,reason=Download driven by user role setting
    Apr 17 13:28:50 authmgr[1652]: <522158> <DBUG> |authmgr| station Authenticate is using cached vlan 550.
    Apr 17 13:28:50 authmgr[1652]: <522161> <DBUG> |authmgr| Valid Dot1xct, remote:0, assigned:550, default:300, current:300,termstate:0, wired:0, dot1x enabled:1, psk:0 static:0 bssid=00:24:6c:b7:7e:a1.
    Apr 17 13:28:50 authmgr[1652]: <522095> <DBUG> |authmgr| 74:f0:6d:1f:0e:a0: Sending STM new vlan info: vlan 550, AP 00:24:6c:b7:7e:a1 caller station_authenticate
    Apr 17 13:28:50 authmgr[1652]: <522029> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 Station authenticate: method=802.1x, role=StudentAccess/StudentAccess//guest, VLAN=300/550/550/0/550/550, Derivation=2/2, Value Pair=0
    Apr 17 13:28:50 authmgr[1652]: <522008> <NOTI> |authmgr| User Authentication Successful: username=URSULINESTL\13_EKozeny MAC=74:f0:6d:1f:0e:a0 IP=10.200.0.14 role=StudentAccess VLAN=550 AP=00:24:6c:c3:77:ea SSID=UAstudent AAA profile=Student-802_1x auth method=802.1x auth server=cloud-ad2
    Apr 17 13:28:50 authmgr[1652]: <522243> <DBUG> |authmgr| MAC=74:f0:6d:1f:0e:a0 Station Updated Update MMS: BSSID=00:24:6c:b7:7e:a1 ESSID=UAstudent VLAN=300 AP-name=00:24:6c:c3:77:ea
    Apr 17 13:28:50 authmgr[1652]: <522038> <INFO> |authmgr| username=XXXXXXXXXX\USERNAME MAC=74:f0:6d:1f:0e:a0 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=cloud-ad2
    Apr 17 13:28:50 authmgr[1652]: <522044> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 Station authenticate(start): method=802.1x, role=StudentAccess/StudentAccess//guest, VLAN=300/550/550/0/550/550, Derivation=2/2, Value Pair=1
    Apr 17 13:28:50 authmgr[1652]: <522017> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0 IP=?? Derived role 'StudentAccess' from server rules: server-group=StudentGroup, authentication=802.1x
    Apr 17 13:28:50 authmgr[1652]: <522127> <DBUG> |authmgr| {L2} Update role from StudentAccess to StudentAccess for IP=0.0.0.0.
    Apr 17 13:28:50 authmgr[1652]: <522049> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0,IP=N/A User role updated, existing Role=StudentAccess/StudentAccess, new Role=StudentAccess/StudentAccess, reason=Station Authenticated with auth type: 4
    Apr 17 13:28:50 authmgr[1652]: <522128> <DBUG> |authmgr| download-L2: acl=70/0 role=StudentAccess, tunl=0x0x1011b, PA=0, HA=1, RO=0, VPN=0.
    Apr 17 13:28:50 authmgr[1652]: <522050> <INFO> |authmgr| MAC=74:f0:6d:1f:0e:a0,IP=N/A User data downloaded to datapath, new Role=StudentAccess/70, bw Contract=0/0,reason=Download driven by user role setting
    Apr 17 13:28:50 authmgr[1652]: <522158> <DBUG> |authmgr| station Authenticate is using cached vlan 550.



  • 2.  RE: User being thrown into a "Cached" vlan instead of role vlan

    EMPLOYEE
    Posted Apr 22, 2013 06:21 AM

    What version of ArubaOS is this?

     



  • 3.  RE: User being thrown into a "Cached" vlan instead of role vlan

    Posted Apr 22, 2013 09:44 AM

    6.2.0.2

     



  • 4.  RE: User being thrown into a "Cached" vlan instead of role vlan

    EMPLOYEE
    Posted Apr 22, 2013 09:58 AM

    - How is authentication done...802.1x, I assume?

    - What is the Virtual AP vlan and does it differ from the student role Vlan?

    - What is the initial role for the AAA profile and does it have a Vlan in that role?

     



  • 5.  RE: User being thrown into a "Cached" vlan instead of role vlan

    Posted Apr 22, 2013 10:03 AM
    @cjoseph wrote:

    - How is authentication done...802.1x, I assume?

    - What is the Virtual AP vlan and does it differ from the student role Vlan?

    - What is the initial role for the AAA profile and does it have a Vlan in that role?

     

    802.1x, PEAP

    VAP vlan is the same as student role

    the initial role is the Guest and that is on the 550 vlan. 

     

    I have only seen this happen 2 or three times, but all with the same user.



  • 6.  RE: User being thrown into a "Cached" vlan instead of role vlan

    EMPLOYEE
    Posted Apr 22, 2013 11:36 AM

    Change the initial role to the 802.1x role.



  • 7.  RE: User being thrown into a "Cached" vlan instead of role vlan

    Posted Apr 22, 2013 11:38 AM

    would that allow a non-authenticated user to get the initial role?  Or will it always wait for the 802.1x transaction to take place?



  • 8.  RE: User being thrown into a "Cached" vlan instead of role vlan

    EMPLOYEE
    Posted Apr 22, 2013 11:41 AM

    A user must pass 802.1x authentication to pass any traffic.  We are putting the initial role as the authenticated role to deal with your outlier.

     



  • 9.  RE: User being thrown into a "Cached" vlan instead of role vlan

    Posted Apr 22, 2013 12:01 PM

    Can you think of a reason on why this is happening with this one user?



  • 10.  RE: User being thrown into a "Cached" vlan instead of role vlan

    EMPLOYEE
    Posted Apr 22, 2013 12:02 PM

    No.  Support would have to take a look at all of your logs to determine that.