11-26-2013 09:05 AM
This morning we upgraded from ArubaOS 22.214.171.124 to 126.96.36.199. We have two M3 / 6000 controllers setup in a redundant master configuration.
One of our SSIDs is WPA2/PSK and uses MAC authentication ( MAC Caching ) with a captive portal on an Amigopod 3.9 appliance. Users connecting to this SSID who already have a MAC account on the Amigopod have no problems. Any new users fail MAC auth ( which is normal ) and should be redirected to the web captive portal for authentication. Since the code upgrade, they are rejected access, and don't see the web captive portal and eventually fail to connect to the SSID. The Amigopod shows a normal access-reject because it can't find a MAC account, but it looks like the controller isn't failing back to the captive portal web-auth.
I looked around at things and I saw the "L2 Authentication Fail Through" setting in the AAA Profile ( unchecked). I enabled it and it seemed to restore normal operation.
Is having it enabled a valid setting for a WPA2/PSK / Captive Portal / MAC Auth setup? We have had this unchecked for more than a year while we were on 188.8.131.52 and things were working ok -- just curious what may have changed in the new code.
11-26-2013 09:33 AM
L2 Authentication fail through is basically to peform let`s say both MAC authentication and 802.1x authentication.
Say for example, when MAC auth fails, enable the L2-auth-fail-through to do the 802.1x auth.
See below info from User-guide.
This config is not going to be applicable just for MAC auth /Captive portal.
You can open up a support case where TAC could try to replicate your config on 184.108.40.206 to see if the same issue occurs.