Wireless Access

Reply
Contributor I
Posts: 20
Registered: ‎10-19-2011

Server rule derivation - set vlan not working

I've setup vlan derivation using server rules.

 

My NPS is configured to pass the filter-id Sales when the client is in the sales user group.

I can see the filter-id sales in a wireshark sniff I took on the controller, so the NPS seems to be working correctly.

 

However the user are not placed in this vlan and remain in vlan 1.

 

The filter rules are pretty straight forward:

1Filter-IdequalsSalesStringset vlan105Yes
2Filter-IdequalsOperationsStringset vlan1Yes

 

I've also tried "contains" instead of equals. But is just does not seem to work. 

 

Any thoughts?

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: Server rule derivation - set vlan not working

It is case sensitive, so make sure you are sending it back correctly.

 

Turn on debugging to see what is being sent back:

 

config t

logging level debugging security process authmgr

logging level debugging security subcat aaa

 

show log security 50

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,413
Registered: ‎11-30-2011

Re: Server rule derivation - set vlan not working

[ Edited ]

you mention sales and Sales, might it be a upper / lower case issue?

 

there is graph somewhere that shows priority in assigning things like vlans, it might be it gets overwritten later on. try a user debug and see what the logs are saying.

 

[edit] and of course cjoseph beats me :)

Contributor I
Posts: 20
Registered: ‎10-19-2011

Re: Server rule derivation - set vlan not working

I force a client to disconnect

show log security 50

Jul 2 11:49:51 :121031: <DBUG> |authmgr| |aaa| [rc_sequence.c:111] seq_num_timeout_handler: Freed 0 entries
Jul 2 11:49:57 :124230: <DBUG> |authmgr| Rx message 14001/5221, length 231 from 127.0.0.1:8235
Jul 2 11:49:57 :124172: <DBUG> |authmgr| Show user rows between 1 and 101.
Jul 2 11:49:59 :124230: <DBUG> |authmgr| Rx message 14001/5221, length 234 from 127.0.0.1:8235
Jul 2 11:49:59 :124162: <DBUG> |authmgr| Enforcing L2 check for mac 00:1e:65:73:36:ba.
Jul 2 11:49:59 :124163: <DBUG> |authmgr| download-L3: ip=192.168.100.121 acl=55/0 role=authenticated, Ubwm=0, Dbwm=0 tunl=0x0x10018, PA=0, HA=1, RO=0, VPN=0, MAC=00:1e:65:73:36:ba.
Jul 2 11:49:59 :124234: <DBUG> |authmgr| Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 396 3 user messages bundled, actions = 17, 18, 20
Jul 2 11:49:59 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=192.168.100.121, ipv6=0.0.0.0, new_rec=1.
Jul 2 11:49:59 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
Jul 2 11:49:59 :124004: <DBUG> |authmgr| AUTH GSM: user_ip_address(192.168.100.121), uuid(0x14)
Jul 2 11:49:59 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=192.168.100.121, ipv6=0.0.0.0, new_rec=0.
Jul 2 11:49:59 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
Jul 2 11:49:59 :124004: <DBUG> |authmgr| AUTH GSM: user_ip_address(192.168.100.121), uuid(0x14)
Jul 2 11:49:59 :124234: <DBUG> |authmgr| Tx message to Sibyte, blocking with ack, Opcode = 17, msglen = 204 action = 5
Jul 2 11:49:59 :124004: <DBUG> |authmgr| AUTH GSM: chan sta : DEL 00:1e:65:73:36:ba ageout 0
Jul 2 11:49:59 :124004: <DBUG> |authmgr| vlan_alloc_update (vlan_alloc.c:140): Vlan Alloc usage ; usage=10 vlan 1
Jul 2 11:49:59 :124004: <DBUG> |authmgr| AUTH GSM: DELETE MAC user 00:1e:65:73:36:ba
Jul 2 11:49:59 :124230: <DBUG> |authmgr| Rx message 14001/5221, length 231 from 127.0.0.1:8235
Jul 2 11:49:59 :124172: <DBUG> |authmgr| Show user rows between 1 and 101.
Jul 2 11:50:01 :121031: <DBUG> |authmgr| |aaa| [rc_sequence.c:111] seq_num_timeout_handler: Freed 0 entries
Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: ADD STA channel event:0 for mac:00:1e:65:73:36:ba
Jul 2 11:50:02 :124103: <DBUG> |authmgr| Setting user 00:1e:65:73:36:ba aaa profile to DU_Wireless8021x-aaa_prof, reason: ncfg_get_wireless_aaa_prof.
Jul 2 11:50:02 :124103: <DBUG> |authmgr| Setting user 00:1e:65:73:36:ba aaa profile to DU_Wireless8021x-aaa_prof, reason: ncfg_set_aaa_profile_defaults.
Jul 2 11:50:02 :124209: <DBUG> |authmgr| handle_sta_up_dn:2623 Updating vlan usage for MAC=00:1e:65:73:36:ba with vlan 1 apname DU-AP_Sales
Jul 2 11:50:02 :124004: <DBUG> |authmgr| vlan_alloc_update (vlan_alloc.c:136): Vlan Alloc usage ; usage=9 vlan 1
Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM PUBLISH MAC user: BSS:24:de:c6:ca:57:49 MAC:00:1e:65:73:36:ba VLAN:1 wired_or_wifi:1 data-ready:0
Jul 2 11:50:02 :124234: <DBUG> |authmgr| Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 204 1 user messages bundled, actions = 17
Jul 2 11:50:02 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
Jul 2 11:50:02 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=0.
Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
Jul 2 11:50:02 :133019: <ERRS> |localdb| User 00:1e:65:73:36:ba was not found in the database
Jul 2 11:50:02 :133006: <ERRS> |localdb| User 00:1e:65:73:36:ba Failed Authentication
Jul 2 11:50:02 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=0.
Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
Jul 2 11:50:02 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=6, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
Jul 2 11:50:02 :124230: <DBUG> |authmgr| Rx message 21/23, length 351 from 127.0.0.1:8344
Jul 2 11:50:02 :124004: <DBUG> |authmgr| Local DB auth failed for user 00:1e:65:73:36:ba, error (User not found in UserDB)
Jul 2 11:50:02 :132219: <INFO> |authmgr| MAC=00:1e:65:73:36:ba Local User DB lookup result for Machine auth=FAILURE Role=
Jul 2 11:50:02 :132020: <INFO> |authmgr| Station DATAUNIT\edemeestere 00:1e:65:73:36:ba failed Machine authentication update role authenticated
Jul 2 11:50:02 :124234: <DBUG> |authmgr| Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 204 1 user messages bundled, actions = 17
Jul 2 11:50:02 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
Jul 2 11:50:02 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=0.
Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
Jul 2 11:50:03 :124230: <DBUG> |authmgr| Rx message 14001/5221, length 230 from 127.0.0.1:8235
Jul 2 11:50:03 :124172: <DBUG> |authmgr| Show user rows between 1 and 11.
Jul 2 11:50:06 :124230: <DBUG> |authmgr| Rx message 14001/5221, length 231 from 127.0.0.1:8235
Jul 2 11:50:06 :124172: <DBUG> |authmgr| Show user rows between 1 and 101.

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: Server rule derivation - set vlan not working

In the 802.1x profile, you have "Enforce Machine Authentication".  That means no server derivation rules take place until machine authentication is successful.  Turn off Enforce Machine Authentication and server derivation will take place:

 

ul 2 11:50:02 :132219: <INFO> |authmgr| MAC=00:1e:65:73:36:ba Local User DB lookup result for Machine auth=FAILURE Role=
Jul 2 11:50:02 :132020: <INFO> |authmgr| Station DATAUNIT\edemeestere 00:1e:65:73:36:ba failed Machine authentication update role authenticated

 

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 20
Registered: ‎10-19-2011

Re: Server rule derivation - set vlan not working

I was expecting something like that.

Is there a way to use derivation and place the computer in the correct vlan when doing only machine level authentication?

 

I do not want sales to get into vlan 1. Their computers are in a sepate AD group and there are policies in place that return filter-id's when doing the machine authenticaiton.

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: Server rule derivation - set vlan not working

A machine only does machine authentication when it is at the ctrl-alt-delete screen.  It does NOT do machine authentication when a user is logging in, so you cannot change vlans when a user is logging in based on the AD group that a machine is a member of.

 

A machine would have had to pass both user and machine authentication for server derivation rules to even be listened to.

 

What are you trying to do, so that we can make suggestions..?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 20
Registered: ‎10-19-2011

Re: Server rule derivation - set vlan not working

[ Edited ]

Right now all my clients are in one single vlan. However we are migrating to different ip ranges.

 

I wanted to place the sales clients in a different vlan without having to change their wireless settings.

 

At this moment clients can also use their smartphones to connect to the network. With AD credentials.


But I also want domain computers to be able to use machine authentication. So that they can access the network before logging in.

 

Edit

------
I have a NPS policy in place that returns filter-id "Sales" for domain computers in the sales group and I have an NPS policy that return filter-id "Sales" for users in the sales group.

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: Server rule derivation - set vlan not working

Okay.  Let's take this step by step:

 

- Change the Machine Authentication Enforcement Cache from 24 hours to something like 100 hours in the 802.1x profile.  When you perform a successful machine authentication, that status will be cached for 100 hours.

- Log off of the machine so that it is at the ctrl-alt-delete screen.  This will perform a successful machine authentication, and cache that status for 100 hours.  You should be able to see the machine's mac address in the local user database (show local-userdb)

 

- Log into the machine after one minute and it will perform a successful user authentication.  Your server derivation rules should work now.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 20
Registered: ‎10-19-2011

Re: Server rule derivation - set vlan not working

So in short, server derivation only works if the user is in the 8021x auth state and not in the 802.1x-machine or 802.1x-user state?

 

When the clients connect with their smartphones, they will only do 802.1x-user authentication. Causing the server derivation to stop working.

 

You solution would probably work for domain computers but not for the smartphones.

 

I think I'll just create and extra VAP for the sales guys. Using nas-id's I can make sure that the sales guys can only authenticate with the sales policy and that specific VAP.

Search Airheads
Showing results for 
Search instead for 
Did you mean: