Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Multi user type authentication

This thread has been viewed 0 times

  • 1.  Multi user type authentication

    Posted Apr 09, 2012 03:55 PM

    I'm trying to setup user auth on one of my S3500 wired ports and I must be missing something.  

    I tested without applying the aaa profile to the interface to verify that DHCP is working.  

    With the below configuration, and the aaa profile applied to the port, I do not even get an authentication window (using a MacBook Pro).

     

     

    !
    Logon role ACL
    !
    ip access-list stateless logon-control-stateless
    user any udp 68 deny
    any any svc-icmp permit
    any any svc-dns permit
    any any svc-dhcp permit
    any any svc-natt permit
    !
    ! Authenticated "dorm-wired" user role ACL
    !
    ip access-list stateless allowall-stateless
    any any any permit

    !
    ! My authenticated user, placed on vlan 2
    !
    user-role dorm-wired
    vlan 2
    access-list stateless allowall-stateless

    !
    ! My default role user, placed on vlan 3
    !
    user-role Post-Auth-Default
    vlan 3
    access-list stateless logon-control-stateless

    !
    ! My logon role, limited access
    !
    user-role logon
    access-list stateless logon-control-stateless

     

    !
    ! My dot1x profile, using the interal database for testing purposes
    !
    aaa authentication dot1x "wired-dorm"
    termination enable

    !
    ! My server-group, internal database
    !
    aaa server-group "auth-internal"
    auth-server Internal
    set role condition role value-of

     

    !
    ! My aaa profile
    !
    aaa profile "dorm-wired"
    authentication-dot1x "wired-dorm"
    dot1x-default-role "Post-Auth-Default"
    dot1x-server-group "auth-internal"

    !
    ! Applied to the client interface, switchport mode is access
    !
    interface gigabitethernet "0/0/5"
    aaa-profile "dorm-wired"
    switching-profile "client"

     

     

     



  • 2.  RE: Multi user type authentication

    Posted Apr 10, 2012 05:08 PM

    The complete configuration is not pasted, for the configuration of interface g0/0/5,

    do you have "no trusted port " ?   It will put the port in untruated mode and aaa will kick in.

     

    Note: I guess you want to put non-authenticated user in  role "dorm-wired", if this is the case, 

    in the aaa profile,  the "initial role dorm-wired" need to add to it otherwise the "default" role will be used.  

     



  • 3.  RE: Multi user type authentication
    Best Answer

    Posted Apr 10, 2012 06:47 PM

    Yes, trusted port can most likely be the issue here. Also, to be sure once the port is untrusted, if you are using local-userdb can you run  "aaa user delete all" and "clear mac-address-table". It also is a good idea to disable/enable the interface on the MacBook.

     

    If that still does not help, It would be great if we can get the output of "show log user", "show dot1x supplicant-info" and "show auth-tracebuf" with complete configs for further debugging. 

     

    --

    Thanks

    ATM



  • 4.  RE: Multi user type authentication

    Posted Apr 11, 2012 09:54 AM

    Abhinethra and Gcui, thanks setting the port untrusted did the trick.