Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Radius and server group problem

This thread has been viewed 6 times

  • 1.  Radius and server group problem

    Posted May 30, 2014 05:20 AM

    Hello!

    Its gonna be rough to exlain our environment, but Ill try my best!

     

    In our Radius (NPS), a windows server 2008 r2, we got two Network Policies. NET and NET-SPC (school pc).
    The NET policy has a condition to limit to a group of users from AD with PEAP authentication method.
    The NET-SPC has a condition to limit to a group of computers from AD with certificate authentication method.

    In our Aruba (ArubaOS6.3) we got a server group named NET-X, pointing to the radius-server, and the server rule:

    Priority Attribute Operation Operand Type Action Value Validated
    1 Filter-Id equals NET-SPC String set role NET-SPC-X Yes

     

    The NET-SPC-X role has VLAN 400 (an internal network) assigned.

    In the AAA-profile of the Virtual AP NET-VAP-X, we assigned TK-NET-X to "802.1X Authentication Server Group".
    In the Virtual AP NET-VAP-X we assigned Vlan 900 for guest-access.

    So basically if you try join the SSID "NET" with AD-credentials you should get assigned to VLAN 900 with guest-access, and if you join the SSID "NET" with a computer with certificate you should get assigned to VLAN 400.

    But some devices (not all), both Android and HP-computers gets the NET-SPC-X role assigned, eventho that they got the Network Policy "NET" from the Radius-server.

     

    We recently migrated from four 3200 controllers(1 master and 3 local) to a reduntant solution of two 7210 controllers.
    What could be the issue here?

     

    Best Regards,
    Johan Lång


    #3200
    #7210


  • 2.  RE: Radius and server group problem

    EMPLOYEE
    Posted May 30, 2014 07:21 AM

    What version of ArubaOS?

     



  • 3.  RE: Radius and server group problem

    Posted May 30, 2014 12:37 PM

    Also, enable client debugging for one of these problematic devices:

     

    (controller)# configure terminal logging level debugging user-debug <mac>

     

     

    Connect the device to the network, then capture the debug logs:

     

    (controller)# show log user-debug all | include <mac>

     

     

    This should tell us what RADIUS attributes are returned and if any server rules are applied after that would change the role.



  • 4.  RE: Radius and server group problem

    Posted May 30, 2014 03:15 PM
    @thecompnerd wrote:

    Also, enable client debugging for one of these problematic devices:

     

    (controller)# configure terminal logging level debugging user-debug <mac>

     

     

    Connect the device to the network, then capture the debug logs:

     

    (controller)# show log user-debug all | include <mac>

     

     

    This should tell us what RADIUS attributes are returned and if any server rules are applied after that would change the role.

    I will do this when im back at monday :) thanks! 



  • 5.  RE: Radius and server group problem

    Posted Jun 02, 2014 03:15 AM

     

    @jokohanho wrote:
    @thecompnerd wrote:

    Also, enable client debugging for one of these problematic devices:

     

    (controller)# configure terminal logging level debugging user-debug <mac>

     

     

    Connect the device to the network, then capture the debug logs:

     

    (controller)# show log user-debug all | include <mac>

     

     

    This should tell us what RADIUS attributes are returned and if any server rules are applied after that would change the role.

    I will do this when im back at monday :) thanks! 

     

    Where can I find which filter-id NPS sends to Aruba?

    The only information I find regarding NPS is those lines:

    |authmgr|  username=Johan MAC=38:aa:3c:4d:3b:ac IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=RADIUS-Server

    |authmgr|  MAC=38:aa:3c:4d:3b:ac IP=?? Derived role 'NET-SPC-X' from server rules: server-group=NET-X, authentication=802.1x



  • 6.  RE: Radius and server group problem

    EMPLOYEE
    Posted Jun 02, 2014 07:16 AM

    jokohanho,

     

    Try this:

     

    config t
logging level debugging security process authmgr
logging level debugging security subcat aaa

     After your user authenticates, type:

    show log security 50

     You should see messages like the last post in the thread here:  http://community.arubanetworks.com/t5/Technology-Blog/Authenticating-users-with-Radius-and-Responding-with-a-Pool/ba-p/77014

     

     

     



  • 7.  RE: Radius and server group problem

    Posted Jun 03, 2014 01:53 AM

    After a couple of hours of troubleshooting and alot of unexplainable bugs I updated the controllers to 6.3.1.7.

    The problem was not about the VLAN, it was about the pick of roles.

     

    Its working now atleast :) 

     

    Thanks alot for your help! 

     

    Best regards,

    Johan



  • 8.  RE: Radius and server group problem

    Posted May 30, 2014 03:13 PM

    I mentioned 6.3, but more exactly it is 6.3.1.6. 



  • 9.  RE: Radius and server group problem
    Best Answer

    EMPLOYEE
    Posted May 30, 2014 03:14 PM

    You could try upgrading to 6.3.1.7.

     

    There is a bug in 6.3.1.6 with VLAN not being assigned correctly when assigned in a role.  fixed in ArubaOS 6.3.1.7.



  • 10.  RE: Radius and server group problem

    Posted May 30, 2014 03:16 PM
    @cjoseph wrote:

    You could try upgrading to 6.3.1.7.

     

    There is a bug in 6.3.1.6 with VLAN not being assigned correctly when assigned in a role.  fixed in ArubaOS 6.3.1.7.

    Sounds like a plan :) Will do! Thanks ! 



  • 11.  RE: Radius and server group problem

    Posted May 31, 2014 06:48 AM

    jokohanho,

     

    You mention in your post that the Android and HP computers are getting assigned the wrong role, correct?   Colin's upgrade suggestion is likely to help if you have VLAN assignment problems, but if the role itself is not being applied properly it could be elsewhere.   Your goal is the following correct?

     

    - If computer certificate authentication; hit NET-SPC NPS policy which has NET-SPC filter-ID returned and server group rule assigns NET-SPC-X role which has VLAN 400 assigned within the role

    - If user authentication; hit NET NPS policy which has no VSAs returned; and the user is assigned the default role and VLAN in the AAA and VAP profiles

     

    If it is only the role misapplying, then run the following to determine the role derivation source of the systems getting the wrong role.  

     

    show user ip x.x.x.x

     

    Look for the Role Derivation field.   If it says Aruba VSA, then the role was applied by NPS during authentication.   If that was the case (should not be for your NET policy based on your initial post) review the NPS logs to ensure the proper policy is being hit for those logins.

     

    Example:

    Name: tom, IP: 172.16.13.10, MAC: 40:0e:85:01:b5:69, Role: secure.user.all, ACL: 63/0, Age: 00:10:47
    Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: cppm-1.lab.net
    Authentication Servers: dot1x authserver: cppm-1.lab.net, mac authserver:
    Bandwidth = No Limit
    Bandwidth = No Limit
    Role Derivation: Aruba VSA
    VLAN Derivation: Dot1x Aruba VSA Role Contained

     

    vs

     

    Name: joe, IP: 192.168.13.143, MAC: 5c:f9:38:1c:f0:c0, Role: authenticated, ACL: 61/0, Age: 01:11:26
    Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: cppm-1.lab.net
    Authentication Servers: dot1x authserver: cppm-1.lab.net, mac authserver:
    Bandwidth = No Limit
    Bandwidth = No Limit

    Role Derivation: default for authentication type 802.1x
    VLAN Derivation: Default VLAN