Wired Intelligent Edge

Maybe somebody can help me with a tunneled-node configuration between an Aruba 7005 controller and an AOS 2930F switch. I configured the switch for tunneled-node.

 

tunneled-node-server
   controller-ip 10.10.1.14
   exit
!
interface 5
   name "FOSCAM IP CAM"
   tunneled-node-server
   exit
!
vlan 20
   name "TUNNEL-VLAN"
   untagged 4
   no ip address
   jumbo
   exit

I configured the controller, which is running AOS 8.2.0.2 with an aaa profile to use MAC authentication against ClearPass. The relevant configuration of the controller is displayed below.

aaa authentication wired
    profile "aaa-tunneled-node"
!
aaa profile "aaa-tunneled-node"
    authentication-mac "default"
    mac-server-group "grp-cppm"

The concept of tunnel-node is working perfectly. The device connects to the switch is authenticated by ClearPass and connected to the correct VLAN. However, I have one problem. The connected device is a Foscam IP camera. The device is connected to the switch and is managed and stores recordings on a Synology NAS. The Synology NAS is connected to a different switch. 

 

The problem is that the IP camera is getting disconnected on the Synology, so I cannot use the "live view" or check recordings or snapshots from detected movements. When I enable tunneled-node on the switch port connected to the Foscam, the camera works a few minutes and then gets disconnected. 

 

I cannot find the reason why. I can still access the IP cam by IP address from the Synology and I can access the web interface from any device in the network. I was thinking about broadcasts being blocked, but I cannot find anything. The camera gets back online as soon as I disable tunneled-node on the switch port and set the correct access VLAN.

 

Below the user-table information of the Foscam IP cam on the controller. 

 

Who knows the answer?? ;-)

 

Users
-----
    IP           MAC            Name         Role           Age(d:h:m)  Auth  VPN link  AP name    Roaming  Essid/Bssid/Phy                Profile            Forward mode  Type  Host Name  User Type
----------  ------------       ------        ----           ----------  ----  --------  -------    -------  ---------------                -------            ------------  ----  ---------  ---------
10.10.1.7   c4:d6:55:3d:ca:5a  c4d6553dca5a  authenticated  00:00:00    MAC             tunnel 12  Wired    10.10.1.4:5/b0:5a:da:98:67:30  aaa-tunneled-node  tunnel                         WIRED

---------------------------------------------------------------------------------------

Name: c4d6553dca5a, IP: 10.10.1.7, MAC: c4:d6:55:3d:ca:5a, Age: 00:00:00
Role: authenticated (how: ROLE_DERIVATION_MBA_VSA), ACL: 78/0
Authentication: Yes, status: successful, method: MAC, protocol: PAP, server: CPPM
Authentication Servers: dot1x authserver: , mac authserver: CPPM
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_MBA_VSA
VLAN Derivation: MBA Aruba VSA
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wired, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=1, vpnflags=0, u_stm_ageout=0
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 0
phy_type: Wired, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 1
Vlan default: 20, Assigned: 1, Current: 1 vlan-how: 11 DP assigned vlan:1
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0xc, Port=0x1000c (tunnel 12)
Essid: 10.10.1.4:5, Bssid: b0:5a:da:98:67:30 AP name/group: / Phy-type: Wired Forward Mode: tunnel
RadAcct sessionID:n/a
RadAcct Traffic In 1156/479326 Out 1333/210075 (0:1156/0:0:7:20574,0:1333/0:0:3:13467)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:aaa-tunneled-node, dot1x:, mac:default CP:n/a def-role:'logon' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 0
IP Born: 1515348432 (Sun Jan  7 19:07:12 2018)
Core User Born: 1515348432 (Sun Jan  7 19:07:12 2018)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String:
L3-Auth Session Timeout from RADIUS: 0
Mac-Auth Session Timeout Value from RADIUS: 0
Dot1x Session Timeout Value from RADIUS: 0
Dot1x Session Term-Action Value from RADIUS: Default
CaptivePortal Login-Page URL from RADIUS: N/A
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: CPPM, dot1x auth server: N/A
Address is from DHCP: no
ipuser_notify_action:UserAuth/NoAction
Per-user-log pointer 0x141ae04 (id 71), num logs 4
RTTS disabled: rtts_throughput 0 rtts_discard 0 rtts_reest 0 rtts_keepalive 0
User added to cluster bucket-map: No

What role and policies are given to the camera in tunneled node?

 

Have you tied it with a wide open (allow all) role? JW :-)

 

The device gets the authenticated role, which has the allow-all statement.

Tunneled node vs not in tunnel node mode, same vlan?

Per-port or per-user?
Do you have an L3 boundary between the controller and edge switch?

Tunneled-port is in VLAN 20. Client is placed in VLAN 1 via CPPM. All other ports (non tunneled-node) are in VLAN 1.

I am using per port tunneled-node. Controller and switch are in the same VLAN (VLAN 1). Tunneled-node VLAN is only local L2 on switch and controller and is not allowed on uplinks between both.

Do you have jumbo frames enabled? 

Yes, jumbo frames are enabled.