Security

Reply
SBS
Contributor II
Posts: 35
Registered: ‎11-04-2013

mac caching 3600 controller

Hello,

We have on our 3600 Aruba controller (6.4.3.4 code and AP105) a MAC caching setup.   The username and passwords of the macs, in the proper format were entered into the internal database, the AAA profile setup, etc.  The client (windows laptop) connects and shows auth type MAC on the controller.  The client is able to communicate on the network for a while (when I click on status on the monitoring tab for clients, I see the user firewall state entries).   Then eventually the client loses communications.  I still see the client in the clients / monitoring tab, but when I status them, i see nothing at all for user firewall state. I can get them communicating again by disconnecting the client and immediately they are restored to normal communications, (for a while) but then the problem happens again.  

 

The same windows client was able to consistently work when he used the captive portal method on the controller so I don't believe it's necessarily the client.

 

I tried putting a check mark in the "reauthentication" box in the AAA profile but that didn't seem to make a difference.

 

What else could I look for?

 

Thank you,

Sarah

 

 

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: mac caching 3600 controller

Can you share the results of "show righs <Name-of-Role>" for the devices that pass MAC Authentication?   

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

SBS
Contributor II
Posts: 35
Registered: ‎11-04-2013

Re: mac caching 3600 controller

Sure, here goes

 

(3600_Controller) #show rights class_role

 

Valid = 'Yes'

CleanedUp = 'No'

Derived Role = 'class_role'

 Up BW:No Limit   Down BW:No Limit

 L2TP Pool = default-l2tp-pool

 PPTP Pool = default-pptp-pool

 Number of users referencing it = 15

 Periodic reauthentication: Disabled

 DPI Classification: Enabled

 Youtube education: Disabled

 Web Content Classification: Enabled

 ACL Number = 62/0

 Max Sessions = 65535

 

 Check CP Profile for Accounting = TRUE

 

Application Exception List

--------------------------

Name  Type

----  ----

 

Application BW-Contract List

----------------------------

Name  Type  BW Contract  Id  Direction

----  ----  -----------  --  ---------

 

access-list List

----------------

Position  Name                   Type     Location

--------  ----                   ----     --------

1         global-sacl            session

2         apprf-class_role-sacl  session

3         class_policy           session

 

global-sacl

-----------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

apprf-class_role-sacl

---------------------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

class_policy

------------

Priority  Source                      Destination        Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------                      -----------        -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         (the class network) 255.255.255.0  Internal Networks  any                   deny               Yes           Low                                                           4

2         any                         any                any                   permit                           Low                                                           4

 

Expired Policies (due to time constraints) = 0

 

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: mac caching 3600 controller

The reauthentication checkbox does not matter.

 

What does matter is that you don't have an "any any service dhcp permit" policy somewhere at the top.  Initial DHCP request is not to an internal server, but DHCP renewals are, so you need to allow dhcp before you block traffic to internal servers.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
SBS
Contributor II
Posts: 35
Registered: ‎11-04-2013

Re: mac caching 3600 controller

Okay. Thank you.  I will give it a try.

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: mac caching 3600 controller

[ Edited ]

SBS wrote:

 

class_policy

------------

Priority  Source                      Destination        Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------                      -----------        -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         (the class network) 255.255.255.0  Internal Networks  any                   deny               Yes           Low                                                           4

2         any                         any                any                   permit                           Low                                                           4

 

Expired Policies (due to time constraints) = 0

 


As Colin was suggesting; your #1 rule is likely prohibiting your DHCP renewals.

 

Add the following ahead of your rule #1

 

user any udp 68 deny

any any svc-dhcp permit

..........(then your entries)

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

SBS
Contributor II
Posts: 35
Registered: ‎11-04-2013

Re: mac caching 3600 controller

Good deal, many thanks

SBS
Contributor II
Posts: 35
Registered: ‎11-04-2013

Re: mac caching 3600 controller

I think putting the recommended entry has madea difference.  It doesn't seem to be as often that things are disconnecting. But we are still getting reports of loss of connectivity (from the client end they dont' have an IP (get an apipa address)).

They get DHCP from the 3600 controller.

 

For the internal database i put them in upper case with hyphens.

For the MAC Authentication profile I put things in the format with uppercase and hypens, here are the settings.

 

Delimeter (dash)

Case - upper

Max Auth Failures 0

Reauth - checked

Reauth interval 86400 sec

Use server provided reauth interval (unchecked)

 

 

I did see this error in the log from today.   Would it make any difference to put things in lower case with colons?  Trying to figure out what still should be tweaked.   

 

Sep 7 12:33:36 :522275:  <ERRS> |authmgr|  User Authentication failed. username=F8-16-54-BE-41-8C  userip=0.0.0.0 usermac=f8:16:54:be:41:8c servername=Internal serverip=X.X.X.X Name=WAP_AP105 bssid=(mac address here)

 

Thank you

Search Airheads
Showing results for 
Search instead for 
Did you mean: