Wireless Access

Hi all,

I have a problem with an Open SSID. After authenticated, my client always get "authenticated user role" even though AAA  profile is correct.

Any one can help me fix this issue?

Many Thanks for help.

You should type "show user ip <ip address of user>" to see how it got its role.

---

@cjosephwrote:

You should type "show user ip <ip address of user>" to see how it got its role.

---

Hi Colin,

The output show role is authenticated, but i don't know how my client receive that role.  I've already used "show reference" for that role and i see that none of my AAA profile in used.

Anyway, i'm very appreciate for your help.

Attachment(s)

Show user ip.txt   5 KB 1 version

Mac authentication from a Radius VSA:

Authentication: Yes, status: started, method: MAC, protocol: PAP, server: NSRP-Clearpass
Role Derivation: ROLE_DERIVATION_MBA_VSA
VLAN Derivation: MBA MSFT Attributes
mac auth server: NSRP-Clearpass, dot1x auth server: N/A

Hi Colin,

So, client get wrong role possible cause by policy on AAA server ?

I am treating leg injuries so i can't check it now :). I will check it as soon as possible then report to you the result.
Many thanks for help. 

The client got its role as the result of mac authentication.

If you are sending an Aruba-User-Role attribute back in your mac authentication response from your radius server, that is what is changing the role.

Hi Colin,

You're right, my client get its role as the result of an attribute on clearpass. I've already removed it.

Thank for your support.