Wireless Access

Reply
Occasional Contributor I
Posts: 6
Registered: ‎10-17-2013

802.1x with AP in bridge mode

Hello,

 

I'm trying to set up a CAP to use 802.1x to an external radius server with the CAP forwarding mode set to bridge.  I've also created a wired AP profile where the forwarding mode is set to bridge as well.  I've been told by the local Aruba SE that this "should" work if you make the AP management subnet a radius client on the radius server.  I've also been told that it "will" work using clearpass.  Is it possible to make this work without clearpass?  With forwarding mode set to bridge, I never get the prompt to enter my credentials and the radius requests never even hit the radius server but if I set it back to tunnel mode on both the vap and AP wired profiles, I can authenticate successfully with no problems.  Any info would be much appreciated.

Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: 802.1x with AP in bridge mode

The forwarding mode of a CAP does not change how 802.1X authentication takes place.  The controller is always the RADIUS client in this case, not the AP.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 6
Registered: ‎10-17-2013

Re: 802.1x with AP in bridge mode

Even if I remove the AP subnet from the radius client, it still never hits the radius server. Its like the controller and/or the AP can't forward the request off to the radius server.

Thanks,

[Description: DeltaLogo (2)]
Josh Grzelakowski
Network Engineer / Delta Network Services
O: 248.409.0070 / C: 586.872.9017 / F: 248.409.2723 / E: josh.grzelakowski@delta-ns.com
420 Enterprise Court Bloomfield Township, MI 48302
www.delta-ns.com
Aruba
Posts: 1,285
Registered: ‎08-29-2007

Re: 802.1x with AP in bridge mode

I assume you have cpsec enabled, since this is required for Campus APs in bridge-forwarding mode?

 

Is there anything showing in the auth-tracebuf for the particular clients?  Try to enable debugging for those clients as well while you are testing?


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: 802.1x with AP in bridge mode

Can you confirm the AAA profile you are using for your bridged mode VAP?   Make sure you have the proper RADIUS server group defined.   All 802.1X authentication in a campus/controller based environment is done by the controller, regardless of forwarding mode; tunnel, split-tunnel, bridge; CAP or RAP; etc. 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 6
Registered: ‎10-17-2013

Re: 802.1x with AP in bridge mode

Yes I do. As soon as I switch everything to normal trunk mode, it works instantly. I can authenticate and I get put in the role I have defined on the controller and radius server.

Thanks,

[Description: DeltaLogo (2)]
Josh Grzelakowski
Network Engineer / Delta Network Services
O: 248.409.0070 / C: 586.872.9017 / F: 248.409.2723 / E: josh.grzelakowski@delta-ns.com
420 Enterprise Court Bloomfield Township, MI 48302
www.delta-ns.com
Aruba
Posts: 1,285
Registered: ‎08-29-2007

Re: 802.1x with AP in bridge mode


josh.grzelakowski@delta-ns.com wrote:
Yes I do. As soon as I switch everything to normal trunk mode, it works instantly. I can authenticate and I get put in the role I have defined on the controller and radius server.

Thanks,

Do you mean normal tunnel mode?

 

When in bridged mode, do you see the client authenticating in the logs on the controller?  Have you set the switchport for the AP to be trunked, with the user-vlan tagged?


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Occasional Contributor I
Posts: 6
Registered: ‎10-17-2013

Re: 802.1x with AP in bridge mode

Yes I have untagged on a mgmt. vlan and tagged on the 2 user vlans.

Thanks,

[Description: DeltaLogo (2)]
Josh Grzelakowski
Network Engineer / Delta Network Services
O: 248.409.0070 / C: 586.872.9017 / F: 248.409.2723 / E: josh.grzelakowski@delta-ns.com
420 Enterprise Court Bloomfield Township, MI 48302
www.delta-ns.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: