Wireless Access

Reply
Occasional Contributor II
Posts: 51
Registered: ‎05-03-2011

Radius and server group problem

Hello!

Its gonna be rough to exlain our environment, but Ill try my best!

 

In our Radius (NPS), a windows server 2008 r2, we got two Network Policies. NET and NET-SPC (school pc).
The NET policy has a condition to limit to a group of users from AD with PEAP authentication method.
The NET-SPC has a condition to limit to a group of computers from AD with certificate authentication method.

In our Aruba (ArubaOS6.3) we got a server group named NET-X, pointing to the radius-server, and the server rule:

Priority Attribute Operation Operand Type Action Value Validated
1 Filter-Id equals NET-SPC String set role NET-SPC-X Yes

 

The NET-SPC-X role has VLAN 400 (an internal network) assigned.

In the AAA-profile of the Virtual AP NET-VAP-X, we assigned TK-NET-X to "802.1X Authentication Server Group".
In the Virtual AP NET-VAP-X we assigned Vlan 900 for guest-access.

So basically if you try join the SSID "NET" with AD-credentials you should get assigned to VLAN 900 with guest-access, and if you join the SSID "NET" with a computer with certificate you should get assigned to VLAN 400.

But some devices (not all), both Android and HP-computers gets the NET-SPC-X role assigned, eventho that they got the Network Policy "NET" from the Radius-server.

 

We recently migrated from four 3200 controllers(1 master and 3 local) to a reduntant solution of two 7210 controllers.
What could be the issue here?

 

Best Regards,
Johan Lång

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: Radius and server group problem

What version of ArubaOS?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Radius and server group problem

Also, enable client debugging for one of these problematic devices:

 

(controller)# configure terminal logging level debugging user-debug <mac>

 

 

Connect the device to the network, then capture the debug logs:

 

(controller)# show log user-debug all | include <mac>

 

 

This should tell us what RADIUS attributes are returned and if any server rules are applied after that would change the role.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Occasional Contributor II
Posts: 51
Registered: ‎05-03-2011

Re: Radius and server group problem

I mentioned 6.3, but more exactly it is 6.3.1.6. 

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: Radius and server group problem

You could try upgrading to 6.3.1.7.

 

There is a bug in 6.3.1.6 with VLAN not being assigned correctly when assigned in a role.  fixed in ArubaOS 6.3.1.7.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 51
Registered: ‎05-03-2011

Re: Radius and server group problem


thecompnerd wrote:

Also, enable client debugging for one of these problematic devices:

 

(controller)# configure terminal logging level debugging user-debug <mac>

 

 

Connect the device to the network, then capture the debug logs:

 

(controller)# show log user-debug all | include <mac>

 

 

This should tell us what RADIUS attributes are returned and if any server rules are applied after that would change the role.


I will do this when im back at monday :) thanks! 

Occasional Contributor II
Posts: 51
Registered: ‎05-03-2011

Re: Radius and server group problem


cjoseph wrote:

You could try upgrading to 6.3.1.7.

 

There is a bug in 6.3.1.6 with VLAN not being assigned correctly when assigned in a role.  fixed in ArubaOS 6.3.1.7.


Sounds like a plan :) Will do! Thanks ! 

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Radius and server group problem

jokohanho,

 

You mention in your post that the Android and HP computers are getting assigned the wrong role, correct?   Colin's upgrade suggestion is likely to help if you have VLAN assignment problems, but if the role itself is not being applied properly it could be elsewhere.   Your goal is the following correct?

 

- If computer certificate authentication; hit NET-SPC NPS policy which has NET-SPC filter-ID returned and server group rule assigns NET-SPC-X role which has VLAN 400 assigned within the role

- If user authentication; hit NET NPS policy which has no VSAs returned; and the user is assigned the default role and VLAN in the AAA and VAP profiles

 

If it is only the role misapplying, then run the following to determine the role derivation source of the systems getting the wrong role.  

 

show user ip x.x.x.x

 

Look for the Role Derivation field.   If it says Aruba VSA, then the role was applied by NPS during authentication.   If that was the case (should not be for your NET policy based on your initial post) review the NPS logs to ensure the proper policy is being hit for those logins.

 

Example:

Name: tom, IP: 172.16.13.10, MAC: 40:0e:85:01:b5:69, Role: secure.user.all, ACL: 63/0, Age: 00:10:47
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: cppm-1.lab.net
Authentication Servers: dot1x authserver: cppm-1.lab.net, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: Aruba VSA
VLAN Derivation: Dot1x Aruba VSA Role Contained

 

vs

 

Name: joe, IP: 192.168.13.143, MAC: 5c:f9:38:1c:f0:c0, Role: authenticated, ACL: 61/0, Age: 01:11:26
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: cppm-1.lab.net
Authentication Servers: dot1x authserver: cppm-1.lab.net, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit

Role Derivation: default for authentication type 802.1x
VLAN Derivation: Default VLAN

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 51
Registered: ‎05-03-2011

Re: Radius and server group problem

 


jokohanho wrote:

thecompnerd wrote:

Also, enable client debugging for one of these problematic devices:

 

(controller)# configure terminal logging level debugging user-debug <mac>

 

 

Connect the device to the network, then capture the debug logs:

 

(controller)# show log user-debug all | include <mac>

 

 

This should tell us what RADIUS attributes are returned and if any server rules are applied after that would change the role.


I will do this when im back at monday :) thanks! 


 

Where can I find which filter-id NPS sends to Aruba?

The only information I find regarding NPS is those lines:

|authmgr|  username=Johan MAC=38:aa:3c:4d:3b:ac IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=RADIUS-Server

|authmgr|  MAC=38:aa:3c:4d:3b:ac IP=?? Derived role 'NET-SPC-X' from server rules: server-group=NET-X, authentication=802.1x

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: Radius and server group problem

jokohanho,

 

Try this:

 

config t
logging level debugging security process authmgr
logging level debugging security subcat aaa

 After your user authenticates, type:

show log security 50

 You should see messages like the last post in the thread here:  http://community.arubanetworks.com/t5/Technology-Blog/Authenticating-users-with-Radius-and-Responding-with-a-Pool/ba-p/77014

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: