Wireless Access

I'm running a 650 controller with OS 6.2.1.1

 

I have multiple Virtual AP's running different SSID's, on multiple VLAN's. One VLAN assigned per VAP. If I leave the MAC Authentication Profile blank in the test AAA profile for the test SSID I get an IP from the correct VLAN (from a windows server DHCP server). If I apply a MAC auth profile in the hopes of it checking against the Internal DB for a listed MAC address it attaches to the SSID but not on the right network.....

 

I went through https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1126 to no avail. 

 

In the AAA profile, there is a MAC Authentication Default Role. Is there a
VLAN assigned to the user role that is selected there?

I checked and it was assigned a MAC Authentication Default Role that had no VLAN assigned to the role. I created a new "test" role, added appropriate firewall rules, and assigned the proper VLAN to it. Still no dice. 

When you apply the MAC auth profile and the client connects (but on the wrong VLAN), can you run the following command and note the role the user is in, the Authentication status, the VLAN Derivation and the role Derivation.

 

show user ip <ip of user>

 

Name: , IP: 192.168.13.154, MAC: 00:24:d7:1c:c2:c8, Role:authenticated, ACL:60/0, Age: 00:04:56
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: AAA profile default role
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 13, Assigned: 0, Current: 13 vlan-how: 0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0x1041, Port=0x108b (tunnel 11)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
Current Role name: authenticated role-how: 10
Essid: home, Bssid: 00:24:6c:bf:61:40 AP name/group: basement-125/home-aps Phy-type: g-HT
RadAcct sessionID:n/a
RadAcct Traffic In 116843/11533866 Out 174910/86422626 (1:51307/0:0:175:65066,2:43838/0:0:1318:46178)
Timers: ping_reply 0, spoof reply 0, reauth 0
Profiles AAA:home-aaa, dot1x:default-psk, mac: CP: def-role:'authenticated' sip-role:'' via-auth-profile:''
ncfg flags udr 1, mac 0, dot1x 1, RADIUS interim accounting 0
IP Born: 1375477695 (Fri Aug 2 16:08:15 2013)
Core User Born: 1375477695 (Fri Aug 2 16:08:15 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 192.168.13.154, from DHCP server 0.0.0.0
Device Type: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/6.0; .NET4.0E; .NET4.0C; InfoPath.3; .NET CLR 3.5.30729;

 

Wow great information. It seems that the mac authentication is in fact working, but there is a lag between enabling the internal DB profile and when it takes effect, and an even longer lag between disabling or deleting a internal DB entry, and when the device is booted from the network.

 

 

I am not sure what you are seeing are delays, but rather just a result of the idle timeout set for the user table.  Before doing the test each time; run the following from the CLI; then run your tests again to see if you get the results you are expecting.   Doing this will purge the entry from the user table ensuring you have the proper profile processing take place.

 

aaa user delete x.x.x.x