Wireless Access

Reply
Contributor II
Posts: 37
Registered: ‎07-05-2012

Can we use Mac Auth on Bridge RAP wired port?

Hi guys,

 

Can we use mac authentication on Bridge mode RAP Wired port (Secure-Jack)?
I tested this topology in my lab, but I can't success the authentication.

 

Is this limitation?

 

If we can use that topology, please let me know how to configure.

 

Regards,

Kosuke

kosuke
ACMP
MVP
Posts: 4,236
Registered: ‎07-20-2011

Re: Can we use Mac Auth on Bridge RAP wired port?

Yes.

Just define it in the aaa profile of the port config
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 37
Registered: ‎07-05-2012

Re: Can we use Mac Auth on Bridge RAP wired port?

Hi Victor,

 

Thank you for your comment.

 

I configured under the settings on our controller.

 

(Aruba6000) #show ap-group default

AP group "default"
------------------
Parameter                                Value
---------                                -----
Virtual AP                               byod-vap_prof
802.11a radio profile                    default
802.11g radio profile                    default
Ethernet interface 0 port configuration  default
Ethernet interface 1 port configuration  test
Ethernet interface 2 port configuration  test
Ethernet interface 3 port configuration  test
Ethernet interface 4 port configuration  test
AP system profile                        default
VoIP Call Admission Control profile      default
802.11a Traffic Management profile       N/A
802.11g Traffic Management profile       N/A
Regulatory Domain profile                default
RF Optimization profile                  default
RF Event Thresholds profile              default
IDS profile                              default
Mesh Radio profile                       default
Mesh Cluster profile                     N/A
Provisioning profile                     N/A
AP authorization profile                 N/A

(Aruba6000) #show ap wired-port-profile test

AP wired port profile "test"
----------------------------
Parameter                                   Value
---------                                   -----
Wired AP profile                            default
Ethernet interface link profile             default
AP LLDP profile                             default
Shut down                                   No
Remote-AP Backup                            Disabled
AAA Profile                                 mac-auth
Bridge Role                                 authenticated
Time to wait for authentication to succeed  20 sec
Spanning Tree                               Disabled

(Aruba6000) #show aaa profile mac-auth

AAA Profile "mac-auth"
----------------------
Parameter                           Value
---------                           -----
Initial role                        logon
MAC Authentication Profile          default
MAC Authentication Default Role     guest
MAC Authentication Server Group     byod_srvgrp-iae73
802.1X Authentication Profile       N/A
802.1X Authentication Default Role  guest
802.1X Authentication Server Group  N/A
L2 Authentication Fail Through      Disabled
User idle timeout                   N/A
RADIUS Accounting Server Group      N/A
RADIUS Interim Accounting           Disabled
XML API server                      N/A
RFC 3576 server                     N/A
User derivation rules               N/A
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Disabled

(Aruba6000) #

 

But the function is not work well.

It seems, not send authentication packet to the radius server via controller.

kosuke
ACMP
Aruba
Posts: 233
Registered: ‎11-19-2009

Re: Can we use Mac Auth on Bridge RAP wired port?

I guess we are doing MAC-AUTH against Radius server,in this case  may be Clear Pass to pass the client authentication.

Can we do a debugigng or pcap on the Radius server to see for any radius request coming in to CPPM  from controller or not? 

 

We need to understand do the controller sends out Radius request at all or Clear pass receives it and reject the client auth for any specfic reason?

 

Thank you.

 

 

Contributor II
Posts: 37
Registered: ‎07-05-2012

Re: Can we use Mac Auth on Bridge RAP wired port?

Hi Sriram,

 

Thank you for your commnet.

 

Our enviroment is used radius server (not cppm), that is windows 2008 Server NPS.

I think the controller or AP didn't send radius packet to radius server.

 

Radius server recieved radius request, when we access via Wireless.

But Radius server didn't recieve radius request, when we access via Wired.

It's same AP and Controller.

 

 

(Aruba6000) #show ap active 

Thu Apr 17 10:13:44 2014



Active AP Table
---------------
Name               Group    IP Address  11g Clients  11g Ch/EIRP/MaxEIRP  11a Clients  11a Ch/EIRP/MaxEIRP  AP Type  Flags  Uptime   Outer IP
----               -----    ----------  -----------  -------------------  -----------  -------------------  -------  -----  ------   --------
d8:c7:c8:c0:9c:dc  default  10.0.0.1    0            AP:HT:6/21/21        0            AP:HT:116+/18/21     135      RE2a   34m:47s  172.22.4.127

Flags: 1 = 802.1x authenticated AP; 2 = Using IKE version 2;
       A = Enet1 in active/standby mode;  B = Battery Boost On; C = Cellular;
       D = Disconn. Extra Calls On; E = Wired AP enabled; F = AP failed 802.1x authentication;
       H = Hotspot Enabled; K = 802.11K Enabled; L = Client Balancing Enabled; M = Mesh;
       N = 802.11b protection disabled; P = PPPOE; R = Remote AP;
       S = AP connected as standby; X = Maintenance Mode; 
       a = Reduce ARP packets in the air; d = Drop Mcast/Bcast On; u = Custom-Cert RAP; 
       r = 802.11r Enabled

Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.

Num APs:1

(Aruba6000) #show user

Thu Apr 17 10:13:55 2014



Users
-----
    IP           MAC       Name   Role  Age(d:h:m)  Auth  VPN link  AP name  Roaming  Essid/Bssid/Phy  Profile  Forward mode  Type  Host Name
----------  ------------  ------  ----  ----------  ----  --------  -------  -------  ---------------  -------  ------------  ----  ---------

User Entries: 0/0
 Curr/**bleep** Alloc:2/2 Free:0/0 Dyn:2 AllocErr:0 FreeErr:0

(Aruba6000) #show auth-tracebuf 

Thu Apr 17 10:14:00 2014



Auth Trace Buffer
-----------------
                                                                       
                                                                       
Apr 17 10:13:04  ap-up                  *     d8:c7:c8:89:cd:d0  -  -  open system
Apr 17 10:13:04  ap-up                  *     d8:c7:c8:89:cd:c0  -  -  open system

(Aruba6000) #show user

Thu Apr 17 10:14:44 2014



Users
-----
    IP             MAC            Name         Role      Age(d:h:m)  Auth  VPN link  AP name            Roaming             Essid/Bssid/Phy              Profile   Forward mode  Type  Host Name
----------    ------------       ------        ----      ----------  ----  --------  -------            -------             ---------------              -------   ------------  ----  ---------
172.22.4.148  00:1b:63:bf:12:76  001b63bf1276  guest     00:00:00    MAC             d8:c7:c8:c0:9c:dc  Associated(Remote)  byod/d8:c7:c8:89:cd:c0/g-HT  mac-auth  bridge              MacBook-4

User Entries: 1/1
 Curr/**bleep** Alloc:3/3 Free:0/0 Dyn:3 AllocErr:0 FreeErr:0

(Aruba6000) #show auth-tracebuf 

Thu Apr 17 10:14:48 2014



Auth Trace Buffer
-----------------
                                                                                       
                                                                                       
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:d0  -  -  open system
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:c0  -  -  open system
Apr 17 10:14:33  mac-auth-req          ->  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  
Apr 17 10:14:33  mac-auth-success      <-  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  

(Aruba6000) #
(Aruba6000) #show user 

Thu Apr 17 10:15:16 2014



Users
-----
    IP             MAC            Name         Role      Age(d:h:m)  Auth  VPN link  AP name            Roaming             Essid/Bssid/Phy              Profile   Forward mode  Type  Host Name
----------    ------------       ------        ----      ----------  ----  --------  -------            -------             ---------------              -------   ------------  ----  ---------
172.22.4.148  00:1b:63:bf:12:76  001b63bf1276  guest     00:00:00    MAC             d8:c7:c8:c0:9c:dc  Associated(Remote)  byod/d8:c7:c8:89:cd:c0/g-HT  mac-auth  bridge              MacBook-4
172.22.30.53  00:1d:72:96:55:b6                logon     00:00:00                    d8:c7:c8:c0:9c:dc  Wired(Remote)       10.0.0.1:0/1                 mac-auth  bridge              

User Entries: 2/2
 Curr/**bleep** Alloc:4/5 Free:0/1 Dyn:4 AllocErr:0 FreeErr:0

(Aruba6000) #show auth-tracebuf 

Thu Apr 17 10:15:22 2014



Auth Trace Buffer
-----------------
                                                                                       
                                                                                       
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:d0  -  -  open system
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:c0  -  -  open system
Apr 17 10:14:33  mac-auth-req          ->  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  
Apr 17 10:14:33  mac-auth-success      <-  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  

(Aruba6000) #
(Aruba6000) #show auth-tracebuf 

Thu Apr 17 10:16:01 2014



Auth Trace Buffer
-----------------
                                                                                       
                                                                                       
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:d0  -  -  open system
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:c0  -  -  open system
Apr 17 10:14:33  mac-auth-req          ->  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  
Apr 17 10:14:33  mac-auth-success      <-  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  

(Aruba6000) #
(Aruba6000) #show auth-tracebuf 

Thu Apr 17 10:19:25 2014



Auth Trace Buffer
-----------------
                                                                                       
                                                                                       
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:d0  -  -  open system
Apr 17 10:13:04  ap-up                  *                     d8:c7:c8:89:cd:c0  -  -  open system
Apr 17 10:14:33  mac-auth-req          ->  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  
Apr 17 10:14:33  mac-auth-success      <-  00:1b:63:bf:12:76  d8:c7:c8:89:cd:c0  -  -  

(Aruba6000) #

 

Thanks,

kosuke
ACMP
MVP
Posts: 4,236
Registered: ‎07-20-2011

Re: Can we use Mac Auth on Bridge RAP wired port?

Make sure the port config is not trusted.

And it's configured as an access port with the remote local VLAN
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 37
Registered: ‎07-05-2012

Re: Can we use Mac Auth on Bridge RAP wired port?

Hi Victor,

 

Thank you for your info.

Our configuration is "Not trusted" and "default vlan (untagged)".

 

(Aruba6000) # show ap wired-ap-profile default

Wired AP profile "default"
--------------------------
Parameter                 Value
---------                 -----
Wired AP enable           Enabled
Trusted                   Not Trusted
Forward mode              bridge
Switchport mode           access
Access mode VLAN          1
Trunk mode native VLAN    1
Trunk mode allowed VLANs  1-4094
Broadcast                 Broadcast

(Aruba6000) #

 

Is Mac-Auth radius request sended to radius server via AP's local network?

We want to send radius request via AP-Controller.

Because the authentication server is in controller (data center) side.

 

Thanks,

Kosuke

kosuke
ACMP
MVP
Posts: 4,236
Registered: ‎07-20-2011

Re: Can we use Mac Auth on Bridge RAP wired port?

Trying checking the broadcast option and under aaa profile wired / default
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 37
Registered: ‎07-05-2012

Re: Can we use Mac Auth on Bridge RAP wired port?

I tried to change the broadcast option enable to disable in "Wired ap profile".

But I got this warning message.

 

(Aruba6000) (config) #ap wired-ap-profile default
(Aruba6000) (Wired AP profile "default") #no broadcast
Warning: 802.1x and Captive portal authentication is not supported in wired Bridge mode


(Aruba6000) (Wired AP profile "default") #

 

Is 802.1x include "Mac Authentication"?

kosuke
ACMP
Aruba
Posts: 233
Registered: ‎11-19-2009

Re: Can we use Mac Auth on Bridge RAP wired port?

Disabling broadcast option will drop the broadcast frames going through the AP tunnel all the way back to controller which may not help for authentication.

 

You may need to first try "aaa test-server" from diagnostics tab on the controller to see controller Vs Radius communication

Make sure controller and Radius server is reachable ; keys are matching between them.

 

Look for event-viewer security and system logs on NPS to see for more info and alerts.

 

Thank you.

Search Airheads
Showing results for 
Search instead for 
Did you mean: