Wireless Access

Reply
MVP
Posts: 382
Registered: ‎05-09-2013

Aruba 3400 Role Derivation

Hi all,

 

We have (1) Aruba 7210 - Master, (1) Aruba 3400 - Local1, and (1) Aruba 3400 - Local2

 

We want to authenticate users via 802.1x to Windows NPS. Everything is working on Local2, but not on the Master or Local1 for some users.

 

We want our users to log into their machines, and those credentials then get sent to Windows NPS for authentication.

 

What we are seeing is the following:

172.20.54.146              60:67:20:98:f2:de  SCHOOL\john   dot1x-user-default-role  00:03:02    8021x-User            MAIN-ITS.2-AP       Wireless  S-802dot1x/00:24:6c:2e:55:d9/a-HT  gs-dot1x-aaa         tunnel
172.20.54.149              00:23:14:b4:e5:e4  SCHOOL\george  gs_admin_staff           00:00:41    802.1x                MAIN-ITS.1-AP       Wireless  S-802dot1x/00:24:6c:2f:41:c1/g-HT  gs-dot1x-aaa         tunnel
172.20.54.160              00:24:d7:d4:4a:48  GEORGESCHOOL\adam   dot1x-user-default-role  00:03:17    8021x-User            MAIN-ITS.1-AP       Wireless  S-802dot1x/00:24:6c:2f:41:c9/a-HT  gs-dot1x-aaa         tunnel

The users are being given the default role of "dot1x-user-default-role" when AUTH TYPE is "802.1x-User" but they are given the correct role when AUTH TYPE is "802.1x".

 

What is the difference? Is there a reason one machine is doing it differently then others?

 

Also, here is the RADIUS debug logs:

 

Jun 27 11:50:37 :522044:  <INFO> |authmgr|  MAC=00:24:d7:d4:4a:48 Station authenticate(start): method=8021x-User, role=dot1x-user-default-role//s_admin_staff/logon, VLAN=54/54, Derivation=1/1, Value Pair=1, flags=0x2
Jun 27 11:50:37 :522016:  <INFO> |authmgr|  MAC=00:24:d7:d4:4a:48 IP=?? Derived role 'S_ADMIN_STAFF' from Aruba VSA
Jun 27 11:50:37 :522017:  <INFO> |authmgr|  MAC=00:24:d7:d4:4a:48 IP=?? Derived role 's_admin_staff' from server rules: server-group=s-auth-dot1x, authentication=8021x-User
Jun 27 11:50:37 :522127:  <DBUG> |authmgr|  {L2} Update role from dot1x-user-default-role to dot1x-user-default-role for IP=0.0.0.0.
Jun 27 11:50:37 :522049:  <INFO> |authmgr|  MAC=00:24:d7:d4:4a:48,IP=N/A User role updated, existing Role=dot1x-user-default-role/dot1x-user-default-role, new Role=dot1x-user-default-role/dot1x-user-default-role, reason=Station Authenticated with auth type: 11

 

 

not sure why the two of their roles are not changing, while the other one is. I belive it's the auth type, but not sure.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
MVP
Posts: 382
Registered: ‎05-09-2013

Re: Aruba 3400 Role Derivation

Those debug logs are from the local controller that authentication problems are happening. Both locals should have config from master, but 1 works and other is having issues. Master is also having these issues.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Aruba 3400 Role Derivation

[ Edited ]

The different roles are based on the fact that you have "enforce machine authentication" enabled in your dot1x profile.

 

The 802.1x-User entry is when the user authenticates successfully, but the computer did not.

The 802.1x-Computer entry would be for a computer that is online, not a user.

The 802.x entry would be for a user that is logged into a device that has also passed machine authentication

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 382
Registered: ‎05-09-2013

Re: Aruba 3400 Role Derivation

[ Edited ]

Thank you for your response. We were able to determine the machines have been online for 3 weeks + and may be failing machine auth because the cache is not present. We rebooted the laptops and the issue has been resolved.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: