Wireless Access

Reply
Frequent Contributor I

Client don't go to auth role

Hello, all!

 

Controler 620.

Soft 6.4.2.2

SSID with WPA2-personal auth.

 

Customer complains that few times at day in TV (wi-fi client) dissapear IPTV.

Client debug show strange situation - as if client receive IP, take logon role and that's all, don't receive auth role.

And so ciclyc every 5 minutes (default timer).

In attach #show log user-debug all | include <MAC of TV>

 

Is there any advice?

 

Thank you!

Re: Client don't go to auth role

Do you have PEF licenses on your controller ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I

Re: Client don't go to auth role

No.

 

Thank you!

Re: Client don't go to auth role

That's the reason , in order for you to apply another user-role you need PEF license (Enables Firewall Capabilities on the Controller) otherwise you will get the logon-role but everything should be allowed since there's no Firewall capabilities enabled
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I

Re: Client don't go to auth role

OK

1. which role take authenticated client?

As I understand client connect, receive IP and take logon role.

After successfull authentication (in my case WPA2-personal) client have to take authenticated role.

or not?

 

And this functional have to work without firewall license. Firewall license only can give me possibility to do new user roles, which I want.(if we taulking about Roles)

2. with other words - you mean that client have before and after authentication the same role - logon?

So what reason for WPA2 security? )))

3. Other clients work fine.

 

Thank you!

MVP

Re: Client don't go to auth role

First of, WPA2- personal (=WPA2-PSK) isn't realy authentication.. (even after the device has associated you have no idea who has been associated since every device connected uses the the same passphrase)

 

When the user connects using the correct passphrase he ends up in the "initial role" which is defined in the aaa-profile.

You have this initial role set to the logon user-role. This role does indeed have a limited lifetime after which the association process starts again. If you change this initial-role to guest (instead of logon) you get the same rights (no PEF means everything is allowed) but without the reconnect every 10 minutes.

 

With WPA2-PSK this initial role is the only role ever applied to a client. If a user tries to connect without having the correct passphrase he is denied access alltogether and receives no role or ip address at all.

 

WPA2 (WPA2-enterprise) is different from this as it requires username and password instead of a passphrase and does end up in the "802.1X Authentication Default Role" after authenticating (with a basic config not enforcing machine authentication). If authentication fails he doesn't receive any role or ip address.

 

All the above is possible without PEF license installed on the system.

 

Without PEF license any and all user-roles allow everything.

With a PEF license installed you can create new rules and configure any rule to allow or disallow whatever you like.

 

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor I

Re: Client don't go to auth role

So if I'll change authenticated role to GUEST (in AAA profiles) - I'll be happy, without any issues?

 

Thank you!

 

MVP

Re: Client don't go to auth role

No, if you are using WPA2-personal you need to change the initial role to guest.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor I

Re: Client don't go to auth role

Thank you for your help!

Put initial role in GUEST.

Waitching the behavior.

 

Main question is Why we need to do some workaround if Customer is bying complete solution (firewall license it is simply an extension of functional capabilities). So without firewall license this solution have to work normally. But have some issues, like 5-minutes reconnect...

MVP

Re: Client don't go to auth role

You do not need a workarround. You need the correct configuration. That you have or haven't got a PEF license doesn't change that.

 

The logon role is intended for logons. And for logons it is a good idea to have users reassociate. A user shouldn't be stuck in a logon role for a long time. Hence, if he is, force a re-association to see if that fixes the (possible) issue.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: