Wireless Access

Reply
Super Contributor II
Posts: 387
Registered: ‎09-05-2012

AP205H - Mac auth connection issue

Hi,
I have configured an AP205H to perform dot1x and MAC auth on eth1-3.
When a laptop performs dot1x authentication the VLAN and role is pushed from the CPPM and the device receives an IP and everything is good.

I have a few presentation devices that will only do MAC Auth. I can see the auth request coming into CPPM and the appropriate VLAN and role being pushed back to the controller. The device even receives an IP address, but I am unable to contact the device at all.
When I run the show datapath command I see traffic trying to hit the device but all the attempts come with the flags FYI, FCI.

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- ---------------
192.168.xx.xxx 192.168.xx.xxx 1 2464 0 0/0 0 0 0 pc1 4 0 0 FYI
192.168.xx.xxx 192.168.xx.xxx 1 2463 0 0/0 0 0 1 pc1 8 0 0 FYI
192.168.xx.xxx 192.168.xx.xxx 1 2464 2048 0/0 0 0 0 pc1 4 1 60 FCI
192.168.xxx.xxx 192.168.xx.xxx 1 2463 2048 0/0 0 0 1 pc1 8 1 60 FCI

Any ideas what might be going on? I am currently just trying to ping the device and access it via HTTP.

Cheers
MVP
Posts: 976
Registered: ‎04-13-2009

Re: AP205H - Mac auth connection issue

[ Edited ]

Can you test with another device?

The datapath session just shows it not responding, assuming we're looking at the correct addresses.

 

Edit: The role the client is assigned allows HTTP and ping right?

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Super Contributor II
Posts: 387
Registered: ‎09-05-2012

Re: AP205H - Mac auth connection issue

Hi,

I have tried testing with a voip phone that is also doing mac auth.

The samething appears to occur, although with the voip phone it doesn't get an IP address, unlike the presentation device.

 

I can try with a printer to see if it is able to communicate.

 

I believe the datapath is correct. I got the mac address of the device and looked that up in the user-table to see if a session had been established on the controller. That is where I got the IP address for the device from.

 

The role that is assigned does indeed allow http and ping yes. I even tried assigning a different role that less restrictive, and still no dice.

Super Contributor II
Posts: 387
Registered: ‎09-05-2012

Re: AP205H - Mac auth connection issue

I have tried testing with a printer.

In this case I don't even get a session on the controller for the printer. I see the CPPM processing the request and sending back the appropriate information, but when I view the user table I do not see the printer.

 

For the wired ports on the AP205H I have configured them in "tunnel" mode and I left the default vlan settings. Is this correct? Or have I done something wrong with these settings?

MVP
Posts: 976
Registered: ‎04-13-2009

Re: AP205H - Mac auth connection issue

You'll need to set the correct VLAN. VLAN 1 is the default in the wired AP Profile, I assume you're not using that VLAN?
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Super Contributor II
Posts: 387
Registered: ‎09-05-2012

Re: AP205H - Mac auth connection issue

You are correct that I am not using vlan 1.

 

I was under the impression though that the VLAN setting would be pushed from the CPPM? Similar to how it works on the wired ports of a switch.

 

The CPPM currently is pushing back the VLAN and role information. When I plug in a laptop and the laptop does do1x, it is placed into the correct VLAN and is able to communicate without an issue.

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: AP205H - Mac auth connection issue

With 802.1x the VLAN is assigned after the device authenticates.  With wired mac authentication, there is a race condition for whether or not the device ends up in the previous VLAN or authentication makes it back in time to put it into the radius returned VLAN.  The device will be assigned the initial VLAN if the radius result does not make it back on time.  A device will ALSO not make it into the user table unless it passes traffic with the source address being the ip address of the device.  I would enable using debugging for that user to see what is going on.

 

config t

logging level debugging user-debug <mac address of device>

...

try to authenticate.

 

...

show log user-debug all



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II
Posts: 387
Registered: ‎09-05-2012

Re: AP205H - Mac auth connection issue

Thank you for the explanation cjoseph. I will do this debugging hopefully later today and report back what I find!


#AirheadsMobile
Super Contributor II
Posts: 387
Registered: ‎09-05-2012

Re: AP205H - Mac auth connection issue

I was finally able to do some testing today.

 

From the log, it seems as though the client controller is getting the information to update the VLAN ID, but it isn't actually happening maybe?

Mar 6 17:28:51 :522167:  <DBUG> |authmgr|  update_wired_station_vlan: adding bridge entry for vlan 1 assigned_vlan 47.
Mar 6 17:28:51 :522167:  <DBUG> |authmgr|  update_wired_station_vlan: adding bridge entry for vlan 47 assigned_vlan 47.
Mar 6 17:28:51 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for xx:xx:xx:xx:b9:b6 vlan 47 fwdmode 0 derivation_type VLAN exported.
Mar 6 17:28:51 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user xx:xx:xx:xx:b9:b6 vlan 47 derivation_type VLAN exported index 8.
Mar 6 17:28:51 :522029:  <INFO> |authmgr|  MAC=xx:xx:xx:xx:b9:b6 Station authenticate: method=MAC, role=NEWROLE///denyall, VLAN=1/47, Derivation=6/11, Value Pair=1
Mar 6 17:28:51 :522158:  <DBUG> |authmgr|  Role Derivation for user 192.168.xx.xxx-xx:xx:xx:xx:b9:b6-xxxxxxxxb9b6 N/A User authenticated with auth type:Unknown auth type role derivation:0.
Mar 6 17:28:51 :522318:  <DBUG> |authmgr|  Client xx:xx:xx:xx:b9:b6 idle timeout 300 profile global
Mar 6 17:28:51 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=xxxxxxxxb9b6 MAC=xx:xx:xx:xx:b9:b6 IP=192.168.xx.xxx role=NEW ROLE VLAN=47 AP=xx:xx:xx:xx:29:3a SSID=N/A AAA profile=ap205h-dot1x-aaa-prof auth method=MAC auth server=CPPM

The log seems to indicate that the user was successfully authenticated and that the VLAN information was updated. When I check the client on the controller (show user-table), the client has an IP address, but is unpingable.

 

I also did what you suggested and set a default vlan. As soon as I did that, everything worked perfectly. The problem though is that I really need the MAC auth to be dynamic because I ultimately don't know what is going to be plugged into the ports.

 

Is there a way that I can have the ports on the AP205H act as dumb ports and allow the underlying switch to the handle dot1x requests? I don't have any issues with MAC auth on our Cisco switches.

Search Airheads
Showing results for 
Search instead for 
Did you mean: