Wireless Access

Hi guys,

 

Can we use mac authentication on Bridge mode RAP Wired port (Secure-Jack)?
I tested this topology in my lab, but I can't success the authentication.

 

Is this limitation?

 

If we can use that topology, please let me know how to configure.

 

Regards,

Kosuke

Yes.

Just define it in the aaa profile of the port config

Hi Victor,

 

Thank you for your comment.

 

I configured under the settings on our controller.

 

(Aruba6000) #show ap-group default

AP group "default"
------------------
Parameter                                Value
---------                                -----
Virtual AP                               byod-vap_prof
802.11a radio profile                    default
802.11g radio profile                    default
Ethernet interface 0 port configuration  default
Ethernet interface 1 port configuration  test
Ethernet interface 2 port configuration  test
Ethernet interface 3 port configuration  test
Ethernet interface 4 port configuration  test
AP system profile                        default
VoIP Call Admission Control profile      default
802.11a Traffic Management profile       N/A
802.11g Traffic Management profile       N/A
Regulatory Domain profile                default
RF Optimization profile                  default
RF Event Thresholds profile              default
IDS profile                              default
Mesh Radio profile                       default
Mesh Cluster profile                     N/A
Provisioning profile                     N/A
AP authorization profile                 N/A

(Aruba6000) #show ap wired-port-profile test

AP wired port profile "test"
----------------------------
Parameter                                   Value
---------                                   -----
Wired AP profile                            default
Ethernet interface link profile             default
AP LLDP profile                             default
Shut down                                   No
Remote-AP Backup                            Disabled
AAA Profile                                 mac-auth
Bridge Role                                 authenticated
Time to wait for authentication to succeed  20 sec
Spanning Tree                               Disabled

(Aruba6000) #show aaa profile mac-auth

AAA Profile "mac-auth"
----------------------
Parameter                           Value
---------                           -----
Initial role                        logon
MAC Authentication Profile          default
MAC Authentication Default Role     guest
MAC Authentication Server Group     byod_srvgrp-iae73
802.1X Authentication Profile       N/A
802.1X Authentication Default Role  guest
802.1X Authentication Server Group  N/A
L2 Authentication Fail Through      Disabled
User idle timeout                   N/A
RADIUS Accounting Server Group      N/A
RADIUS Interim Accounting           Disabled
XML API server                      N/A
RFC 3576 server                     N/A
User derivation rules               N/A
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Disabled

(Aruba6000) #

 

But the function is not work well.

It seems, not send authentication packet to the radius server via controller.

I guess we are doing MAC-AUTH against Radius server,in this case  may be Clear Pass to pass the client authentication.

Can we do a debugigng or pcap on the Radius server to see for any radius request coming in to CPPM  from controller or not? 

 

We need to understand do the controller sends out Radius request at all or Clear pass receives it and reject the client auth for any specfic reason?

 

Thank you.

 

 

Hi Sriram,

 

Thank you for your commnet.

 

Our enviroment is used radius server (not cppm), that is windows 2008 Server NPS.

I think the controller or AP didn't send radius packet to radius server.

 

Radius server recieved radius request, when we access via Wireless.

But Radius server didn't recieve radius request, when we access via Wired.

It's same AP and Controller.

 

 

(Aruba6000) #show ap active 

Thu Apr 17 10:13:44 2014



Active AP Table
---------------
Name               Group    IP Address  11g Clients  11g Ch/EIRP/MaxEIRP  11a Clients  11a Ch/EIRP/MaxEIRP  AP Type  Flags  Uptime   Outer IP
----               -----    ----------  -----------  -------------------  -----------  -------------------  -------  -----  ------   --------
d8:c7:c8:c0:9c:dc  default  10.0.0.1    0            AP:HT:6/21/21        0            AP:HT:116+/18/21     135      RE2a   34m:47s  172.22.4.127

Flags: 1 = 802.1x authenticated AP; 2 = Using IKE version 2;
       A = Enet1 in active/standby mode;  B = Battery Boost On; C = Cellular;
       D = Disconn. Extra Calls On; E = Wired AP enabled; F = AP failed 802.1x authentication;
       H = Hotspot Enabled; K = 802.11K Enabled; L = Client Balancing Enabled; M = Mesh;
       N = 802.11b protection disabled; P = PPPOE; R = Remote AP;
       S = AP connected as standby; X = Maintenance Mode; 
       a = Reduce ARP packets in the air; d = Drop Mcast/Bcast On; u = Custom-Cert RAP; 
       r = 802.11r Enabled

Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.

Num APs:1

(Aruba6000) #show user

Thu Apr 17 10:13:55 2014



Users
-----
    IP           MAC       Name   Role  Age(d:h:m)  Auth  VPN link  AP name  Roaming  Essid/Bssid/Phy  Profile  Forward mode  Type  Host Name
----------  ------------  ------  ----  ----------  ----  --------  -------  -------  ---------------  -------  ------------  ----  ---------

User Entries: 0/0
 Curr/**bleep** Alloc:2/2 Free:0/0 Dyn:2 AllocErr:0 FreeErr:0

(Aruba6000) #show auth-tracebuf 

Thu Apr 17 10:14:00 2014



Auth Trace Buffer
-----------------
                                                                       
                                                                       
Apr 17 10:13:04  ap-up                  *     d8:c7:c8:89:cd:d0  -  -  open system
Apr 17 10:13:04  ap-up                  *     d8:c7:c8:89:cd:c0  -  -  open system

(Aruba6000) #show user

Thu Apr 17 10:14:44 2014



Users
-----
    IP             MAC            Name         Role      Age(d:h:m)  Auth  VPN link  AP name            Roaming             Essid/Bssid/Phy              Profile   Forward mode  Type  Host Name
----------    ------------       ------        ----      ----------  ----  --------  -------            -------             ---------------              -------   ------------  ----  ---------
172.22.4.148  00:1b:63:bf:12:76  001b63bf1276  guest     00:00:00    MAC             d8:c7:c8:c0:9c:dc  Associated(Remote)  byod/d8:c7:c8:89:cd:c0/g-HT  mac-auth  bridge              MacBook-4

User Entries: 1/1
 Curr/**bleep** Alloc:3/3 Free:0/0 Dyn:3 AllocErr:0 FreeErr:0

(Aruba6000) #show auth-tracebuf 

Thu Apr 17 10:14:48 2014



Auth Trace Buffer
-----------------
                                                                                       
                                                                                       
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:d0  -  -  open system
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:c0  -  -  open system
Apr 17 10:14:33  mac-auth-req          ->  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  
Apr 17 10:14:33  mac-auth-success      <-  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  

(Aruba6000) #
(Aruba6000) #show user 

Thu Apr 17 10:15:16 2014



Users
-----
    IP             MAC            Name         Role      Age(d:h:m)  Auth  VPN link  AP name            Roaming             Essid/Bssid/Phy              Profile   Forward mode  Type  Host Name
----------    ------------       ------        ----      ----------  ----  --------  -------            -------             ---------------              -------   ------------  ----  ---------
172.22.4.148  00:1b:63:bf:12:76  001b63bf1276  guest     00:00:00    MAC             d8:c7:c8:c0:9c:dc  Associated(Remote)  byod/d8:c7:c8:89:cd:c0/g-HT  mac-auth  bridge              MacBook-4
172.22.30.53  00:1d:72:96:55:b6                logon     00:00:00                    d8:c7:c8:c0:9c:dc  Wired(Remote)       10.0.0.1:0/1                 mac-auth  bridge              

User Entries: 2/2
 Curr/**bleep** Alloc:4/5 Free:0/1 Dyn:4 AllocErr:0 FreeErr:0

(Aruba6000) #show auth-tracebuf 

Thu Apr 17 10:15:22 2014



Auth Trace Buffer
-----------------
                                                                                       
                                                                                       
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:d0  -  -  open system
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:c0  -  -  open system
Apr 17 10:14:33  mac-auth-req          ->  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  
Apr 17 10:14:33  mac-auth-success      <-  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  

(Aruba6000) #
(Aruba6000) #show auth-tracebuf 

Thu Apr 17 10:16:01 2014



Auth Trace Buffer
-----------------
                                                                                       
                                                                                       
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:d0  -  -  open system
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:c0  -  -  open system
Apr 17 10:14:33  mac-auth-req          ->  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  
Apr 17 10:14:33  mac-auth-success      <-  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  

(Aruba6000) #
(Aruba6000) #show auth-tracebuf 

Thu Apr 17 10:19:25 2014



Auth Trace Buffer
-----------------
                                                                                       
                                                                                       
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:d0  -  -  open system
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:c0  -  -  open system
Apr 17 10:14:33  mac-auth-req          ->  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  
Apr 17 10:14:33  mac-auth-success      <-  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  

(Aruba6000) #

 

Thanks,

Make sure the port config is not trusted.

And it's configured as an access port with the remote local VLAN

Hi Victor,

 

Thank you for your info.

Our configuration is "Not trusted" and "default vlan (untagged)".

 

(Aruba6000) # show ap wired-ap-profile default

Wired AP profile "default"
--------------------------
Parameter                 Value
---------                 -----
Wired AP enable           Enabled
Trusted                   Not Trusted
Forward mode              bridge
Switchport mode           access
Access mode VLAN          1
Trunk mode native VLAN    1
Trunk mode allowed VLANs  1-4094
Broadcast                 Broadcast

(Aruba6000) #

 

Is Mac-Auth radius request sended to radius server via AP's local network?

We want to send radius request via AP-Controller.

Because the authentication server is in controller (data center) side.

 

Thanks,

Kosuke

Trying checking the broadcast option and under aaa profile wired / default

I tried to change the broadcast option enable to disable in "Wired ap profile".

But I got this warning message.

 

(Aruba6000) (config) #ap wired-ap-profile default
(Aruba6000) (Wired AP profile "default") #no broadcast
Warning: 802.1x and Captive portal authentication is not supported in wired Bridge mode


(Aruba6000) (Wired AP profile "default") #

 

Is 802.1x include "Mac Authentication"?

Disabling broadcast option will drop the broadcast frames going through the AP tunnel all the way back to controller which may not help for authentication.

 

You may need to first try "aaa test-server" from diagnostics tab on the controller to see controller Vs Radius communication

Make sure controller and Radius server is reachable ; keys are matching between them.

 

Look for event-viewer security and system logs on NPS to see for more info and alerts.

 

Thank you.

Thak you comment about broadcast function.

 

And controller can access and authentication with radius server (NPS).

You can find the entry about authenticated user via wireless, in "show user" log that is attacehed before.

 

But we can not find entry "show auth-tracebuf" log about wired client's authentication.

Threfore the client status is still logon role (not authenticated), that is access Secure Jack on AP.

 

Thank you.

Ok got that. If you want to do MAC auth + dot1x profile we need to make sure we need to map the 802.1x profile also to mac-auth else 802.1x will never kick.in which i dont see in current config.

 

Also make sure wired-port config on laptop as well. thank you.

 

(Aruba6000) #show aaa profile mac-auth

AAA Profile "mac-auth" ---------------------- Parameter                           Value ---------                           ----- Initial role                        logon MAC Authentication Profile          default MAC Authentication Default Role     guest MAC Authentication Server Group     byod_srvgrp-iae73 802.1X Authentication Profile       N/A 802.1X Authentication Default Role  guest 802.1X Authentication Server Group  N/A

I want do only mac-auth, NOT mac-auth + 802.1x auth.

 

I think no need 802.1x profile in aaa profile in this case,

Is this right?

 

And please explain about this message if you know.

 

===

Warning: 802.1x and Captive portal authentication is not supported in wired Bridge modeWarning: 802.1x and Captive portal authentication is not supported in wired Bridge mode

===

 

Is 802.1x include "Mac Authentication"?

 

Thank you

No. 802.1x doesnt include MAC auth. I just asked that question for bettter clarification. Could you please do the user-debug & auth on the controller to see more info info on client itself to see for mac-auth.

 

config t

logging level debugging security process authmgr

logging level debugging user-debug <mac address>

 

show log security all

show log user-debug all

I got log.

 

(Aruba6000) (config) #show user

Thu Apr 17 13:33:10 2014



Users
-----
    IP           MAC       Name   Role  Age(d:h:m)  Auth  VPN link  AP name  Roaming  Essid/Bssid/Phy  Profile  Forward mode  Type  Host Name
----------  ------------  ------  ----  ----------  ----  --------  -------  -------  ---------------  -------  ------------  ----  ---------

User Entries: 0/0
 Curr/**bleep** Alloc:2/21 Free:2/19 Dyn:4 AllocErr:0 FreeErr:0

(Aruba6000) (config) #
(Aruba6000) (config) #show user

Thu Apr 17 13:33:25 2014



Users
-----
    IP             MAC            Name     Role      Age(d:h:m)  Auth  VPN link  AP name            Roaming        Essid/Bssid/Phy  Profile   Forward mode  Type  Host Name
----------    ------------       ------    ----      ----------  ----  --------  -------            -------        ---------------  -------   ------------  ----  ---------
172.22.30.53  00:1d:72:96:55:b6            logon     00:00:00                    d8:c7:c8:c0:9c:dc  Wired(Remote)  10.0.0.1:0/1     mac-auth  bridge              

User Entries: 1/1
 Curr/**bleep** Alloc:3/23 Free:1/20 Dyn:4 AllocErr:0 FreeErr:0

(Aruba6000) (config) #show log security all 
Apr 17 13:33:10 :124230:  <DBUG> |authmgr|  Rx message 14001/5221, length 189 from 127.0.0.1:8220
Apr 17 13:33:14 :124004:  <DBUG> |authmgr|  user_rem_af_ap: ap->ref_count 2 
Apr 17 13:33:14 :124202:  <DBUG> |authmgr|  Detected AP (f/l 0) with ip 10.0.0.1 slotport 8448 status 1 txkey 0
Apr 17 13:33:14 :124004:  <DBUG> |authmgr|  user_add_af_ap: ap_ip 10.0.0.1 ap->ref_count 3 
Apr 17 13:33:14 :124163:  <DBUG> |authmgr|  download-L3: ip=10.0.0.1 acl=4/0 role=ap-role, Ubwm=0, Dbwm=0 tunl=0x0x0, PA=0, HA=1, RO=0, VPN=0, MAC=00:00:00:00:00:00.
Apr 17 13:33:14 :124234:  <DBUG> |authmgr|  Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 300 2 user messages bundled, actions = 18, 20
Apr 17 13:33:14 :124004:  <DBUG> |authmgr|  add_bss_object: ap (10.0.0.1) bss->bssid.addr d8:c7:c8:89:cd:d0 first_or_last is 0  
Apr 17 13:33:14 :124004:  <DBUG> |authmgr|  AUTH GSM: ADD bss d8:c7:c8:89:cd:d0: sap=0x106e3a24 event=0
Apr 17 13:33:14 :124202:  <DBUG> |authmgr|  Detected AP (f/l 0) with ip 10.0.0.1 slotport 8448 status 1 txkey 0
Apr 17 13:33:14 :124230:  <DBUG> |authmgr|  Rx message 3198/67108864, length 114 from 127.0.0.1:8345
Apr 17 13:33:14 :124220:  <DBUG> |authmgr|  stm_message_handler : msg_type 3198
Apr 17 13:33:14 :124004:  <DBUG> |authmgr|  stm_hotspot: bss(d8:c7:c8:89:cd:d0) DN() VN() CC(JP3) HS(0)
Apr 17 13:33:21 :124230:  <DBUG> |authmgr|  Rx message 3092/67108864, length 171 from 10.0.0.1:8451
Apr 17 13:33:21 :124220:  <DBUG> |authmgr|  stm_message_handler : msg_type 3092
Apr 17 13:33:21 :124091:  <DBUG> |authmgr|  station_check_license_limits: mac 00:1d:72:96:55:b6  encr-algo:1.
Apr 17 13:33:21 :124086:  <DBUG> |authmgr|  Create macuser 0x0x1064b224 and user 0x0x106e08bc.
Apr 17 13:33:21 :124093:  <DBUG> |authmgr|  Called mac_station_new() for mac 00:1d:72:96:55:b6.
Apr 17 13:33:21 :124103:  <DBUG> |authmgr|  Setting user 00:1d:72:96:55:b6 aaa profile to default, reason: ncfg_get_wired_aaa_prof.
Apr 17 13:33:21 :124103:  <DBUG> |authmgr|  Setting user 00:1d:72:96:55:b6 aaa profile to default, reason: ncfg_set_aaa_profile_defaults.
Apr 17 13:33:21 :124004:  <DBUG> |authmgr|  AUTH GSM PUBLISH MAC user: BSS:01:80:c2:00:00:03 MAC:00:1d:72:96:55:b6 VLAN:1 wired_or_wifi:2 data-ready:0
Apr 17 13:33:23 :124230:  <DBUG> |authmgr|  Rx message 3096/67108864, length 165 from 10.0.0.1:8451
Apr 17 13:33:23 :124220:  <DBUG> |authmgr|  stm_message_handler : msg_type 3096
Apr 17 13:33:23 :124211:  <DBUG> |authmgr|  receive (1) bridge users seq_num=32
Apr 17 13:33:23 :124212:  <DBUG> |authmgr|  stm_rap_bridge_sta_message: receive action 2 for users 00:1d:72:96:55:b6
Apr 17 13:33:23 :124234:  <DBUG> |authmgr|  Tx message to Sibyte, blocking with ack, Opcode = 21, msglen = 136 
Apr 17 13:33:23 :124004:  <DBUG> |authmgr|  AUTH GSM: DELETE MAC user 00:1d:72:96:55:b6
Apr 17 13:33:23 :124090:  <DBUG> |authmgr|  Free macuser 0x0x1064b224 and user 0x0x106e08bc for mac 00:1d:72:96:55:b6.
Apr 17 13:33:23 :124234:  <DBUG> |authmgr|  Tx message to Sibyte, blocking with ack, Opcode = 21, msglen = 136 
Apr 17 13:33:23 :124004:  <DBUG> |authmgr|  AUTH GSM: USER DELETE uuid(0x3)
Apr 17 13:33:23 :124004:  <DBUG> |authmgr|  AUTH GSM: failed for user 3 with error ERROR_HTBL_KEY_NOT_FOUND
Apr 17 13:33:23 :124091:  <DBUG> |authmgr|  station_check_license_limits: mac 00:1d:72:96:55:b6  encr-algo:0.
Apr 17 13:33:23 :124086:  <DBUG> |authmgr|  Create macuser 0x0x1064b224 and user 0x0x106e12d4.
Apr 17 13:33:23 :124093:  <DBUG> |authmgr|  Called mac_station_new() for mac 00:1d:72:96:55:b6.
Apr 17 13:33:23 :124004:  <DBUG> |authmgr|  station_add: SAP NOT found
Apr 17 13:33:23 :124103:  <DBUG> |authmgr|  Setting user 00:1d:72:96:55:b6 aaa profile to mac-auth, reason: RAP enet user.
Apr 17 13:33:23 :124103:  <DBUG> |authmgr|  Setting user 00:1d:72:96:55:b6 aaa profile to mac-auth, reason: ncfg_set_aaa_profile_defaults.
Apr 17 13:33:25 :124230:  <DBUG> |authmgr|  Rx message 14001/5221, length 189 from 127.0.0.1:8220

(Aruba6000) (config) #  
(Aruba6000) (config) #show log user-debug all 
Apr 17 13:33:21 :522143:  <DBUG> |authmgr|  user_miss from RAP:10.0.0.1, (Wired) user IP:0.0.0.0, VLAN:1, BSSID:d8:c7:c8:c0:9c:dd:AP:d8:c7:c8:c0:9c:dc, flags=0x0.
Apr 17 13:33:21 :522035:  <INFO> |authmgr|  MAC=00:1d:72:96:55:b6 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=1 AP-name=d8:c7:c8:c0:9c:dc
Apr 17 13:33:21 :522077:  <DBUG> |authmgr|  MAC=00:1d:72:96:55:b6 ingress 0x0x0 (vlan 0), u_encr 1, m_encr 1, slotport 0x0x2101 wired, type: remote, FW mode: 1, AP IP: 10.0.0.1 mdie 0 ft_complete 0
Apr 17 13:33:21 :522264:  <DBUG> |authmgr|  "MAC:00:1d:72:96:55:b6: Allocating UUID: 3.
Apr 17 13:33:21 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 00:1d:72:96:55:b6 vlan 0 derivation_type Reset VLANs for Station up index 0.
Apr 17 13:33:21 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 00:1d:72:96:55:b6 vlan 1 fwdmode 0 derivation_type Default VLAN.
Apr 17 13:33:21 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 00:1d:72:96:55:b6 vlan 1 derivation_type Default VLAN index 1.
Apr 17 13:33:21 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 00:1d:72:96:55:b6 vlan 1 fwdmode 0 derivation_type Current VLAN updated.
Apr 17 13:33:21 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 00:1d:72:96:55:b6 vlan 1 derivation_type Current VLAN updated index 2.
Apr 17 13:33:21 :522254:  <DBUG> |authmgr|  VDR - mac 00:1d:72:96:55:b6 rolename logon fwdmode 1 derivation_type Initial Role Contained vp not present.
Apr 17 13:33:21 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 00:1d:72:96:55:b6 vlan 0 derivation_type Reset Role Based VLANs index 3.
Apr 17 13:33:21 :522083:  <DBUG> |authmgr|  Skip User-Derivation, mba:0 udr_exist:0,default_role:logon,pDefRole:0x0x1064755c
Apr 17 13:33:21 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 00:1d:72:96:55:b6 vlan 1 fwdmode 1 derivation_type Current VLAN updated.
Apr 17 13:33:21 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 00:1d:72:96:55:b6 vlan 1 derivation_type Current VLAN updated index 4.
Apr 17 13:33:21 :522260:  <DBUG> |authmgr|  "VDR - Cur VLAN updated 00:1d:72:96:55:b6 mob 0 inform 1 remote 1 wired 1 defvlan 1 exportedvlan 0 curvlan 1.
Apr 17 13:33:21 :522096:  <DBUG> |authmgr|  00:1d:72:96:55:b6: Sending STM new Role ACL : 1, and Vlan info: 1, action : 10, AP IP: 10.0.0.1, flags : 0 idle-timeout: 300
Apr 17 13:33:21 :522144:  <DBUG> |authmgr|  L2 entry updated from RAP:10.0.0.1, Wired user IP:0.0.0.0, MAC : 00:1d:72:96:55:b6, VLAN:1, BSSID:d8:c7:c8:c0:9c:dd.
Apr 17 13:33:23 :522145:  <DBUG> |authmgr|  handle_rap_bridge_user(): Entered. MAC:00:1d:72:96:55:b6, IP:172.22.30.53, apName:d8:c7:c8:c0:9c:dc action:2 aclnum:1.
Apr 17 13:33:23 :522056:  <DBUG> |authmgr|  Removing existing AP-Bridge-Wired user IP:0.0.0.0 on AP: d8:c7:c8:c0:9c:dc Wired port:0x0
Apr 17 13:33:23 :522015:  <INFO> |authmgr|  MAC=00:1d:72:96:55:b6 IP=0.0.0.0 Remove Bridge Entry
Apr 17 13:33:23 :522134:  <DBUG> |authmgr|  user_rem_bridge_entry: deleting bridge entry for vlan 1 assigned_vlan 1.
Apr 17 13:33:23 :522156:  <DBUG> |authmgr|  Deleting AP Wired User (split/bridge) 00:1d:72:96:55:b6 from STM stats tree.
Apr 17 13:33:23 :522152:  <DBUG> |authmgr|  station free: bssid=01:80:c2:00:00:03, @=0x0x1064b224.
Apr 17 13:33:23 :522154:  <DBUG> |authmgr|  Deleting AP Wired User (fw_mode 1) 00:1d:72:96:55:b6 from STM stats tree.
Apr 17 13:33:23 :522051:  <INFO> |authmgr|  MAC=00:1d:72:96:55:b6 Clear Bridge Entry
Apr 17 13:33:23 :522098:  <DBUG> |authmgr|  clear_bridge_entry_by_mac: clearing bridge entries for MAC 00:1d:72:96:55:b6
Apr 17 13:33:23 :522265:  <DBUG> |authmgr|  "MAC:00:1d:72:96:55:b6: Deallocating UUID: 3.
Apr 17 13:33:23 :522057:  <DBUG> |authmgr|  adding AP-Bridge-Wired station (00:1d:72:96:55:b6)
Apr 17 13:33:23 :522264:  <DBUG> |authmgr|  "MAC:00:1d:72:96:55:b6: Allocating UUID: 4.
Apr 17 13:33:23 :522157:  <INFO> |authmgr|  Update wired bridge-mode user: username= MAC=00:1d:72:96:55:b6 IP=172.22.30.53 AP=d8:c7:c8:c0:9c:dc aclnum=1.
Apr 17 13:33:23 :522061:  <DBUG> |authmgr|  AP-Bridge-Wired User: mac:00:1d:72:96:55:b6 dot1x-enabled:0
Apr 17 13:33:23 :522064:  <DBUG> |authmgr|  AP-Bridge station: mac:00:1d:72:96:55:b6 DeviceType Classification is set in aaa-profile

(Aruba6000) (config) # 

 

Thanks for the update. Could you please check for license limit on the controller.

 

 

Apr 17 13:33:21 :124220:  <DBUG> |authmgr|  stm_message_handler : msg_type 3092
Apr 17 13:33:21 :124091:  <DBUG> |authmgr|  station_check_license_limits: mac 00:1d:72:96:55:b6  encr-algo:1.

 

Thank you.

I use evaluation license about "ap", "PEFNG" and "RFP".

I use for evaluate 1 AP and 2 client devices only.

 

 

(Aruba6000) #show license

Thu Apr 17 14:00:38 2014



License Table
-------------
Key                                               Installed    Expires     Flags  Service Type
---                                               ---------    -------     -----  ------------
lWxeY8AI-wRHEfKDf-26XGGhql-V/tMVkPQ-RjReUUv/-JH4  2014-04-16   2014-05-16   E     Access Points: 2048
                                                  19:59:28[2]  19:59:28
kFBtgRlO-vFghynPd-b0PymRFl-i9i1BvYk-2DBLPTp4-8CI  2014-04-16   2014-05-16   E     Next Generation Policy Enforcement Firewall Module: 2048
                                                  19:59:44[2]  19:59:44
7c3BMdb/-G22GeCwt-itQJaVth-YW7JMuRK-6Zr713mN-s6U  2014-04-16   2014-05-16   E     RF Protect: 2048
                                                  19:59:54[2]  19:59:54

License Entries: 3

Flags: A - auto-generated; E - enabled; R - reboot required to activate

(Aruba6000) #show license limits

Thu Apr 17 14:00:51 2014



License Limits
--------------
Limit  Value
-----  -----
2048   Access Points
2048   RF Protect
0      xSec Module
0      120abg Upgrade
0      121abg Upgrade
0      124abg Upgrade
0      125abg Upgrade
2048   Next Generation Policy Enforcement Firewall Module
0      Advanced Cryptography
0      Service provider AP

(Aruba6000) #show license-usage ap

Thu Apr 17 14:01:37 2014



AP Licenses
-----------
Type                      Number
----                      ------
AP Licenses               2048
RF Protect Licenses       2048
PEF Licenses              2048
Overall AP License Limit  2048

AP Usage
--------
Type             Count
----             -----
Active CAPs      0
Standby CAPs     0
RAPs             1
Remote-node APs  0
Tunneled nodes   0
Total APs        1

Remaining AP Capacity
---------------------
Type  Number
----  ------
CAPs  511
RAPs  2047

(Aruba6000) #

 

Thank you.

Thanks for the confirmation. We have a good amount of licenses which indicates this is not the license issue.

Also could you please post the output of show ap wired-ap-profile <profile name which are using>

 

I am just wondering since this is the bridge mode on all the traffic will be local and acl is going on AP datapath and not on the controller.

Could we try below.

 

create the user-role like below..

 

config t

user-role rap-bridge

 

config t

ip access-list session rap-bridge

any any svc-dhcp permit

user any any route src-nat ----- this will route all the traffic locally through the AP datapath.

 

config t

user-role rap-bridge

session-acl rap-bridge

write mem

 

config t

aaa profile <profile name in this case mac-auth>

initial role rap-bridge

wr m

 

see if you try again; if this doesnt work please let me know if i can have your email address so that we could have a remote session.

 

Thank you.

 

Thank you for your information, but the status is no changed.

That mean the client device is not authenticated.

Can i have your email address so that we could have a remote session to have a look on this ?

 

Thanks!

Yes, please.

But today, I will go to our customer's office soon.

So please do after tommorrow, if you connect to our controller via remote session.

 

I'm in Japan, therefore Timezone is JST (UTC+9).

Sure. Could you please share the output of "show ap wired-ap-profile default " from controller?

OK.

 

(Aruba6000) #show ap wired-ap-profile default

Thu Apr 17 15:25:09 2014



Wired AP profile "default"
--------------------------
Parameter                 Value
---------                 -----
Wired AP enable           Enabled
Trusted                   Not Trusted
Forward mode              bridge
Switchport mode           access
Access mode VLAN          1
Trunk mode native VLAN    1
Trunk mode allowed VLANs  1-4094
Broadcast                 Do not Broadcast

 

Plesae enable broadcast as wel. Looks  there is some restiction here to use mac auth on bridge mode which may not work since on bridge mode there is no tunnel between AP and controller and traffic is going to be local (rotue src-nat locally). Also you cant do wired dot1x  on bridge mode and. Captive portal is  also not supported.

 

The best option could be to configure them on split-tunnel, put the dhcp on the controller , allow the trafic whateven you need to controller and pass rest of the traffic route src nat locally.  Find the below link which would give more info to about bridge mode.

 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/RAP-Bridge-mode-with-Always-operational-Mode/m-p/80876/highlight/true#M14667

 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/tunnel-Authentication-traffic-bridge-the-other-traffics-split/m-p/67240/highlight/true#M3716

 

 

Keep in mind any traffic "permit" goes back to controller and any traffic "route src-nat" traffic will be local.

 

on split-tunnel you can do mac/dot1x and captive portal authentication.

 

Hope this clarifes. Thank you.

 

 

 

 

 

 

 

 

I configured boradcast is enable before, that you can find log this thread.

 

I'm sorry, I can't understand well your explain.

 

So, we can not use mac authentication with Wired-Bridge RAP mode.

Is that make sense?

And it is specification. Right?

 

We can use mac-auth on Wired RAP, when we use split tunnel mode or tunnel mode.

Is this right?

Yes, Mac-auth will not supported for wired bridge mode. The reason behind is that on bridge mode all traffic from the client to AP is local and no traffic will be able to tunnel back to controller.


Yes. Split tunnel or tunnel mode will work with Mac authentication.

Thank you.

Thank you for your cooperation!