Wireless Access

Reply
don
Contributor I

Multi user type authentication

I'm trying to setup user auth on one of my S3500 wired ports and I must be missing something.  

I tested without applying the aaa profile to the interface to verify that DHCP is working.  

With the below configuration, and the aaa profile applied to the port, I do not even get an authentication window (using a MacBook Pro).

 

 

!
Logon role ACL
!
ip access-list stateless logon-control-stateless
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
!
! Authenticated "dorm-wired" user role ACL
!
ip access-list stateless allowall-stateless
any any any permit

!
! My authenticated user, placed on vlan 2
!
user-role dorm-wired
vlan 2
access-list stateless allowall-stateless

!
! My default role user, placed on vlan 3
!
user-role Post-Auth-Default
vlan 3
access-list stateless logon-control-stateless

!
! My logon role, limited access
!
user-role logon
access-list stateless logon-control-stateless

 

!
! My dot1x profile, using the interal database for testing purposes
!
aaa authentication dot1x "wired-dorm"
termination enable

!
! My server-group, internal database
!
aaa server-group "auth-internal"
auth-server Internal
set role condition role value-of

 

!
! My aaa profile
!
aaa profile "dorm-wired"
authentication-dot1x "wired-dorm"
dot1x-default-role "Post-Auth-Default"
dot1x-server-group "auth-internal"

!
! Applied to the client interface, switchport mode is access
!
interface gigabitethernet "0/0/5"
aaa-profile "dorm-wired"
switching-profile "client"

 

 

 

Aruba Employee

Re: Multi user type authentication

The complete configuration is not pasted, for the configuration of interface g0/0/5,

do you have "no trusted port " ?   It will put the port in untruated mode and aaa will kick in.

 

Note: I guess you want to put non-authenticated user in  role "dorm-wired", if this is the case, 

in the aaa profile,  the "initial role dorm-wired" need to add to it otherwise the "default" role will be used.  

 

Aruba Employee

Re: Multi user type authentication

Yes, trusted port can most likely be the issue here. Also, to be sure once the port is untrusted, if you are using local-userdb can you run  "aaa user delete all" and "clear mac-address-table". It also is a good idea to disable/enable the interface on the MacBook.

 

If that still does not help, It would be great if we can get the output of "show log user", "show dot1x supplicant-info" and "show auth-tracebuf" with complete configs for further debugging. 

 

--

Thanks

ATM

don
Contributor I

Re: Multi user type authentication

Abhinethra and Gcui, thanks setting the port untrusted did the trick.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: