Wireless Access

Reply
Aruba Employee
Posts: 27
Registered: ‎04-24-2013

MAC filtering not working.

I'm running a 650 controller with OS 6.2.1.1

 

I have multiple Virtual AP's running different SSID's, on multiple VLAN's. One VLAN assigned per VAP. If I leave the MAC Authentication Profile blank in the test AAA profile for the test SSID I get an IP from the correct VLAN (from a windows server DHCP server). If I apply a MAC auth profile in the hopes of it checking against the Internal DB for a listed MAC address it attaches to the SSID but not on the right network.....

 

I went through https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1126 to no avail. 

 

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: MAC filtering not working.

In the AAA profile, there is a MAC Authentication Default Role. Is there a
VLAN assigned to the user role that is selected there?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba Employee
Posts: 27
Registered: ‎04-24-2013

Re: MAC filtering not working.

I checked and it was assigned a MAC Authentication Default Role that had no VLAN assigned to the role. I created a new "test" role, added appropriate firewall rules, and assigned the proper VLAN to it. Still no dice. 

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: MAC filtering not working.

When you apply the MAC auth profile and the client connects (but on the wrong VLAN), can you run the following command and note the role the user is in, the Authentication status, the VLAN Derivation and the role Derivation.

 

show user ip <ip of user>

 

Name: , IP: 192.168.13.154, MAC: 00:24:d7:1c:c2:c8, Role:authenticated, ACL:60/0, Age: 00:04:56
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: AAA profile default role
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 13, Assigned: 0, Current: 13 vlan-how: 0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0x1041, Port=0x108b (tunnel 11)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
Current Role name: authenticated role-how: 10
Essid: home, Bssid: 00:24:6c:bf:61:40 AP name/group: basement-125/home-aps Phy-type: g-HT
RadAcct sessionID:n/a
RadAcct Traffic In 116843/11533866 Out 174910/86422626 (1:51307/0:0:175:65066,2:43838/0:0:1318:46178)
Timers: ping_reply 0, spoof reply 0, reauth 0
Profiles AAA:home-aaa, dot1x:default-psk, mac: CP: def-role:'authenticated' sip-role:'' via-auth-profile:''
ncfg flags udr 1, mac 0, dot1x 1, RADIUS interim accounting 0
IP Born: 1375477695 (Fri Aug 2 16:08:15 2013)
Core User Born: 1375477695 (Fri Aug 2 16:08:15 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 192.168.13.154, from DHCP server 0.0.0.0
Device Type: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/6.0; .NET4.0E; .NET4.0C; InfoPath.3; .NET CLR 3.5.30729;

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba Employee
Posts: 27
Registered: ‎04-24-2013

Re: MAC filtering not working.

Wow great information. It seems that the mac authentication is in fact working, but there is a lag between enabling the internal DB profile and when it takes effect, and an even longer lag between disabling or deleting a internal DB entry, and when the device is booted from the network.

 

 

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: MAC filtering not working.

I am not sure what you are seeing are delays, but rather just a result of the idle timeout set for the user table.  Before doing the test each time; run the following from the CLI; then run your tests again to see if you get the results you are expecting.   Doing this will purge the entry from the user table ensuring you have the proper profile processing take place.

 

aaa user delete x.x.x.x

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: