Wireless Access

Reply
MVP
Posts: 778
Registered: ‎03-25-2009

Returned aruba-user-role vsa being ignored for machine-only auth?

[ Edited ]

Can anybody confirm it is (or isn't) intended behaviour that returning a aruba-user-role vsa is being ignored by the controller when it's being returned on a machine-only authentication?

 

We're using clearpass to return different user-roles for a) machine-only, b) user-only and c) machine&user authenticated clients.

The role we return for the machine-only can be seen on the controller but is ignored completely in favor of the default machine role set in the 802.1x auth profile.

 

Support (Alcatel) confirms this to be intended & expected behaviour which seems odd to me as the vlan attribute is being accepted.

And if it is indeed the case.. why? fix it! :P

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 21,480
Registered: ‎03-29-2007

Re: Returned aruba-user-role vsa being ignored for machine-only auth?

If you are using ClearPass, you should turn off "Enforce Machine Authenticaton" in the 802.1x profile on the controller.  You should simply use ClearPass to send back an Enforcement profile depending on the authentication types you are using.  

 

You should view the access tracker to see what is being sent back to the client, as well as turn on debugging on the client to see what attributes are seen and being applied.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 778
Registered: ‎03-25-2009

Re: Returned aruba-user-role vsa being ignored for machine-only auth?

[ Edited ]

Clearpass definitly sends back the correct role which the controller simply ignores since he used machine authentication (I'm guessing that's the "auth type 10" anyway) as can be seen in the debug:

 

Dec 5 12:48:58 :522044:  <INFO> |authmgr|  MAC=24:77:03:72:ff:78 Station authenticate(start): method=8021x-Machine, role=logon//, VLAN=300/300/0/0/0, Derivation=0/0, Value Pair=1 

Dec 5 12:48:58 :522016:  <INFO> |authmgr|  MAC=24:77:03:72:ff:78 IP=?? Derived role 'CP-machine' from Aruba VSA
Dec 5 12:48:58 :522049:  <INFO> |authmgr|  MAC=24:77:03:72:ff:78,IP=0.0.0.0 User role updated, existing Role=logon/none, new Role=role-machine/none, reason=Station Authenticated with auth type: 10

 

I'll see about disabling the "enforce machine authentiction" on the controller. Guess that should work as it won't realise its a machine authentication anymore. 

 

Thanks for the tip!

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 21,480
Registered: ‎03-29-2007

Re: Returned aruba-user-role vsa being ignored for machine-only auth?

If you turn on enforce machine authentication, the controller ignores all VSAs unless the device has passed both. Turn it off and give clearpass control.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 83
Registered: ‎11-01-2010

Re: Returned aruba-user-role vsa being ignored for machine-only auth?

[ Edited ]

funny, i was working on setting up my CPPM today and was running into the same issue using machine authentication on the controller with the VSA's being sent back from CPPM to the controller completely ignored. 

 

I want to send all non-domain devices to the clearpass onboard provisioning page and let all users who have domain machines that pass both machine and user auth, to authenticated role.

 

Is there a way CPPM can do machine auth and user auth?  I am unsure how to turn off machine authentication on dot1x profile and then have CPPM do both machine auth and user auth.

 

 

Guru Elite
Posts: 21,480
Registered: ‎03-29-2007

Re: Returned aruba-user-role vsa being ignored for machine-only auth?

CPPM has a built-in [Machine Authenticated] role that can be used to determine whether a machine has passed machine authentication at all.  

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: