Maybe somebody can help me with a tunneled-node configuration between an Aruba 7005 controller and an AOS 2930F switch. I configured the switch for tunneled-node.
tunneled-node-server
controller-ip 10.10.1.14
exit
!
interface 5
name "FOSCAM IP CAM"
tunneled-node-server
exit
!
vlan 20
name "TUNNEL-VLAN"
untagged 4
no ip address
jumbo
exit
I configured the controller, which is running AOS 8.2.0.2 with an aaa profile to use MAC authentication against ClearPass. The relevant configuration of the controller is displayed below.
aaa authentication wired
profile "aaa-tunneled-node"
!
aaa profile "aaa-tunneled-node"
authentication-mac "default"
mac-server-group "grp-cppm"
The concept of tunnel-node is working perfectly. The device connects to the switch is authenticated by ClearPass and connected to the correct VLAN. However, I have one problem. The connected device is a Foscam IP camera. The device is connected to the switch and is managed and stores recordings on a Synology NAS. The Synology NAS is connected to a different switch.
The problem is that the IP camera is getting disconnected on the Synology, so I cannot use the "live view" or check recordings or snapshots from detected movements. When I enable tunneled-node on the switch port connected to the Foscam, the camera works a few minutes and then gets disconnected.
I cannot find the reason why. I can still access the IP cam by IP address from the Synology and I can access the web interface from any device in the network. I was thinking about broadcasts being blocked, but I cannot find anything. The camera gets back online as soon as I disable tunneled-node on the switch port and set the correct access VLAN.
Below the user-table information of the Foscam IP cam on the controller.
Who knows the answer?? ;-)
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
10.10.1.7 c4:d6:55:3d:ca:5a c4d6553dca5a authenticated 00:00:00 MAC tunnel 12 Wired 10.10.1.4:5/b0:5a:da:98:67:30 aaa-tunneled-node tunnel WIRED
---------------------------------------------------------------------------------------
Name: c4d6553dca5a, IP: 10.10.1.7, MAC: c4:d6:55:3d:ca:5a, Age: 00:00:00
Role: authenticated (how: ROLE_DERIVATION_MBA_VSA), ACL: 78/0
Authentication: Yes, status: successful, method: MAC, protocol: PAP, server: CPPM
Authentication Servers: dot1x authserver: , mac authserver: CPPM
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_MBA_VSA
VLAN Derivation: MBA Aruba VSA
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wired, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=1, vpnflags=0, u_stm_ageout=0
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 0
phy_type: Wired, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 1
Vlan default: 20, Assigned: 1, Current: 1 vlan-how: 11 DP assigned vlan:1
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0xc, Port=0x1000c (tunnel 12)
Essid: 10.10.1.4:5, Bssid: b0:5a:da:98:67:30 AP name/group: / Phy-type: Wired Forward Mode: tunnel
RadAcct sessionID:n/a
RadAcct Traffic In 1156/479326 Out 1333/210075 (0:1156/0:0:7:20574,0:1333/0:0:3:13467)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:aaa-tunneled-node, dot1x:, mac:default CP:n/a def-role:'logon' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 0
IP Born: 1515348432 (Sun Jan 7 19:07:12 2018)
Core User Born: 1515348432 (Sun Jan 7 19:07:12 2018)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String:
L3-Auth Session Timeout from RADIUS: 0
Mac-Auth Session Timeout Value from RADIUS: 0
Dot1x Session Timeout Value from RADIUS: 0
Dot1x Session Term-Action Value from RADIUS: Default
CaptivePortal Login-Page URL from RADIUS: N/A
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: CPPM, dot1x auth server: N/A
Address is from DHCP: no
ipuser_notify_action:UserAuth/NoAction
Per-user-log pointer 0x141ae04 (id 71), num logs 4
RTTS disabled: rtts_throughput 0 rtts_discard 0 rtts_reest 0 rtts_keepalive 0
User added to cluster bucket-map: No