Wireless Access

Reply
Occasional Contributor I
Posts: 7
Registered: ‎02-21-2014

Clients not getting DHCP after passing mac authentication

For one of our SSIDs we have been using 802.1x authentication. For added security, we added mac address filtering to the SSID as well. Since this, we are having random issues with DHCP not being assigned to a user, causing users to get 169.254.x.x addresses.

 

I have the AAA initial role and 802.1x role set to denyall, and mac authentication role set to logon. If I go to the client list and search for 169.254.x.x user, I can see that they have passed MAC authentication and they are assigned the logon role.

 

I also noticed that for the clients that DO get DHCP, the active connection time (i.e. age) never seems to be longer than 6 minutes or so. On top of this, if I search for a specific mac address in the client list, sometimes there will be multiple entries for that user. 

 

Any idea what could be causing this hiccup in service? We are running ArubaOS 5.0.4.1

MVP
Posts: 1,409
Registered: ‎05-28-2008

Re: Clients not getting DHCP after passing mac authentication

[ Edited ]

Did u changed something under AAA-Advanced?

Capture.PNG

Please re-configure it to the defualt settings:

http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-show-aaa-timers/td-p/900

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/aaa-timers/td-p/7417

 

in Aruba OS UG 6.1, page 323.

There is a command in the AAA-profile called l2-auth-fail-through;

"Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and 802.1x authentication. When MAC authentication fails, enable the l2-auth-fail-through command to perform 802.1x authentication."

 

Also - why is your 802.1x role is set to denyall? :smileysurprised:

 

more reading here: (might be helpful)

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Mac-Authentication-Problem/td-p/136911

 

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Clients not getting DHCP after passing mac authentication

 

Read this thread:

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/How-to-do-two-step-authentication-MAC-based-amp-802-1x/td-p/20582

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor
Posts: 2
Registered: ‎04-29-2014

Re: Clients not getting DHCP after passing mac authentication

[ Edited ]

kdisc98 wrote:

Did u changed something under AAA-Advanced?

Capture.PNG

Please re-configure it to the defualt settings:

http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-show-aaa-timers/td-p/900

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/aaa-timers/td-p/7417

 

in Aruba OS UG 6.1, page 323.

There is a command in the AAA-profile called l2-auth-fail-through;

"Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and 802.1x authentication. When MAC authentication fails, enable the l2-auth-fail-through command to perform 802.1x authentication."

 

Also - why is your 802.1x role is set to denyall? :smileysurprised:

 

more reading here: (might be helpful)

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Mac-Authentication-Problem/td-p/136911

 

 


 

my AAA numbers match exactly what you have in the screenshot

 

In regards to setting up l2-auth-fail-through, I do not want users to be able to authenticate 802.1x if mac authentication fails. A client machine needs to pass BOTH tests in order to get DHCP. Either way, I don't believe that option is available in ArubaOS 5.0

 

"Also - why is your 802.1x role is set to denyall?"

I had it set to logon yesterday when nothing was working so I tried setting it to denyall to see if that changed anything, but the same symtpoms remain

 

 

I came across someone mentioning they had DHCP problems when the initial role was set to denyall. To test this, I took off the mac authentication profile, left the intial role as denyall and set the 802.1x role to logon. With this config, I get the same DHCP issue. If I set the intial role to logon, everything works as expected.

 

If I want to implement the MAC authentication list, then leaving the intial role as logon does not work. It will let clients through after only passing 802.1x authentication.

New Contributor
Posts: 2
Registered: ‎04-29-2014

Re: Clients not getting DHCP after passing mac authentication

After talking with a technician, the first step we're trying is a config command that'll strip out duplicate entries from the user table. This change seems to be working so far, I will comment back after a little while to confirm if this fix works or not

 

aaa user fast-age

 

Read more about it here: http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/aaa-user-fast-age/td-p/78848

Search Airheads
Showing results for 
Search instead for 
Did you mean: