Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Aruba 3400 Role Derivation

This thread has been viewed 1 times

  • 1.  Aruba 3400 Role Derivation

    MVP
    Posted Jun 27, 2014 12:41 PM

    Hi all,

     

    We have (1) Aruba 7210 - Master, (1) Aruba 3400 - Local1, and (1) Aruba 3400 - Local2

     

    We want to authenticate users via 802.1x to Windows NPS. Everything is working on Local2, but not on the Master or Local1 for some users.

     

    We want our users to log into their machines, and those credentials then get sent to Windows NPS for authentication.

     

    What we are seeing is the following:

    172.20.54.146              60:67:20:98:f2:de  SCHOOL\john   dot1x-user-default-role  00:03:02    8021x-User            MAIN-ITS.2-AP       Wireless  S-802dot1x/00:24:6c:2e:55:d9/a-HT  gs-dot1x-aaa         tunnel
    172.20.54.149              00:23:14:b4:e5:e4  SCHOOL\george  gs_admin_staff           00:00:41    802.1x                MAIN-ITS.1-AP       Wireless  S-802dot1x/00:24:6c:2f:41:c1/g-HT  gs-dot1x-aaa         tunnel
    172.20.54.160              00:24:d7:d4:4a:48  GEORGESCHOOL\adam   dot1x-user-default-role  00:03:17    8021x-User            MAIN-ITS.1-AP       Wireless  S-802dot1x/00:24:6c:2f:41:c9/a-HT  gs-dot1x-aaa         tunnel

    The users are being given the default role of "dot1x-user-default-role" when AUTH TYPE is "802.1x-User" but they are given the correct role when AUTH TYPE is "802.1x".

     

    What is the difference? Is there a reason one machine is doing it differently then others?

     

    Also, here is the RADIUS debug logs:

     

    Jun 27 11:50:37 :522044:  <INFO> |authmgr|  MAC=00:24:d7:d4:4a:48 Station authenticate(start): method=8021x-User, role=dot1x-user-default-role//s_admin_staff/logon, VLAN=54/54, Derivation=1/1, Value Pair=1, flags=0x2
    Jun 27 11:50:37 :522016:  <INFO> |authmgr|  MAC=00:24:d7:d4:4a:48 IP=?? Derived role 'S_ADMIN_STAFF' from Aruba VSA
    Jun 27 11:50:37 :522017:  <INFO> |authmgr|  MAC=00:24:d7:d4:4a:48 IP=?? Derived role 's_admin_staff' from server rules: server-group=s-auth-dot1x, authentication=8021x-User
    Jun 27 11:50:37 :522127:  <DBUG> |authmgr|  {L2} Update role from dot1x-user-default-role to dot1x-user-default-role for IP=0.0.0.0.
    Jun 27 11:50:37 :522049:  <INFO> |authmgr|  MAC=00:24:d7:d4:4a:48,IP=N/A User role updated, existing Role=dot1x-user-default-role/dot1x-user-default-role, new Role=dot1x-user-default-role/dot1x-user-default-role, reason=Station Authenticated with auth type: 11

     

     

    not sure why the two of their roles are not changing, while the other one is. I belive it's the auth type, but not sure.


    #7210
    #3400


  • 2.  RE: Aruba 3400 Role Derivation

    MVP
    Posted Jun 27, 2014 12:44 PM

    Those debug logs are from the local controller that authentication problems are happening. Both locals should have config from master, but 1 works and other is having issues. Master is also having these issues.



  • 3.  RE: Aruba 3400 Role Derivation
    Best Answer

    Posted Jun 27, 2014 01:21 PM

    The different roles are based on the fact that you have "enforce machine authentication" enabled in your dot1x profile.

     

    The 802.1x-User entry is when the user authenticates successfully, but the computer did not.

    The 802.1x-Computer entry would be for a computer that is online, not a user.

    The 802.x entry would be for a user that is logged into a device that has also passed machine authentication



  • 4.  RE: Aruba 3400 Role Derivation

    MVP
    Posted Jun 27, 2014 01:25 PM

    Thank you for your response. We were able to determine the machines have been online for 3 weeks + and may be failing machine auth because the cache is not present. We rebooted the laptops and the issue has been resolved.