Wireless Access

Reply
Contributor I
Posts: 34
Registered: ‎07-07-2011

801.1x on wired port of Remote AP with split-tunnel

Hello all,

 

I face an issue with 802.1x authentication on a wired port of a remote AP.

The wired port is configured for split-tunnel mode, AAA profile points to a MS Win 2008R2 NPS Radius server.

When I plug the client into E1 port of the RAP I get EAP packets and get prompted for credentials.

However, then nothing further happens. On the NPS no event is logged (no deny nor acceppt).

On the Aruba controller with "show auth-tracebuf" eventually shows a timeout of the logon session.

Now, when I set the wired port for tunneled mode, everthing works fine!

Is this a bug or is 802.1x over split-tunnel on wired RAP ports not supported?

 

Kind regards

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: 801.1x on wired port of Remote AP with split-tunnel

In your role for split tunnel, are you allowing access to NPS without source NAT'ing it?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor I
Posts: 34
Registered: ‎07-07-2011

Re: 801.1x on wired port of Remote AP with split-tunnel

I had the initial role set to "allow all" to make sure clients may reach NPS server. Still didn't work.

On the other hand, we are facing EAP packets which are Layer 2 and should not get filtered by the controllers firewall.

Maybe my setup is faulty after all:

I had the RAP placed inside my VLAN1, which is the same VLANs clients get assigned in my wired profile.

I hook up the RAP to an external ISP line, now it works!

Maybe the RAP gets stuck sending a split tunnel to basically the same network inside and outside the tunnel?

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: 801.1x on wired port of Remote AP with split-tunnel

Hows your user-role for split-tunneling configured ?

 

Make sure that the user-role used for split-tunneling is setup this way :

user any svc-dhcp permit (If DHCP is at the Remote Site)

any <INTERNAL NETWORKS> any permit

any any any route src-nat

 

Where are you doing the termination on the controller or NPS ?

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 34
Registered: ‎07-07-2011

Re: 801.1x on wired port of Remote AP with split-tunnel

Hi,

 

user role is like this:

 

any any svc-dhcp allow

any <InternalNet> any allow

user any any route src-nat

 

EAP-Termination takes place at the NPS server.

 

Thanks!

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: 801.1x on wired port of Remote AP with split-tunnel

What version of AOS are you using and what type of RAP ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 34
Registered: ‎07-07-2011

Re: 801.1x on wired port of Remote AP with split-tunnel

Currently using AOS version 6.4.3.2 and using a RAP3 in this scenario.

 

Thanks.

Search Airheads
Showing results for 
Search instead for 
Did you mean: