Wireless Access

Reply
New Contributor

User obtaining old role when switching SSID's with separate VLAN's and wired AAA profiles

Hi, we are currently experiencing a problem wherein we have 2 SSID's namely Free and Auto which runs on an external radius. The issue is when a client connect to the Free SSID or Auto SSID for the first time, the client will get redirected to the right portal (client gets assigned the correct logon role for free or auto). Our issue is when the client switches to the other SSID either from Free to Auto or from Auto to Free, whichever SSID the client first connected to, he will retain the role he obtained. For example, the client connects to Free and is assigned Free-logon and then connects to Auto even without finishing the authentication process on Free, the client will retain the Free-logon role even though the client should obtain the Auto-logon role. Same happens when the client connects to Auto and then transfers to Free after.

 

So the design is like this. We have a central controller and on a remote site we deployed an HP 8 port switch (N930F) which supports tunneled node. We have 2 VLAN interfaces on the controller which is for the two SSID's free and auto both of which has DHCP enabled. Each VLAN has its own wired AAA profile set and of course are different networks. Here is when things get a bit tricky, the SSID's are actually on a Cisco WLC and broadcasted by Cisco AP's. VLAN's are running through the cisco network via L2.

Basically the topology is like this:

Aruba 7240>HP 8 Port Switch>Cisco Catalyst Switch>Cisco WLC>Cisco AP

 

I enabled debugging on my device and from the logs I can see that I'm obtaining a different the proper IP each time I switch from an SSID and gets assigned a "new" role but the controller seems to assign the old role i obtained from whichever SSID i connected to first. 

 

We have no issues when testing on a RAP when we created two test SSID's using the two VLAN's. The user role gets updated everytime and we are presented the right captive portal. The issue only occurs when we connect to the Cisco AP's. 

 

Sample logs:

Jul 10 17:11:05 :522050:  <4125> <INFO> |authmgr|  MAC=ec:1f:72:fa:b7:30,IP=100.92.95.66 User data downloaded to datapath, new Role=douglas-stlukes-free-logon/358, bw Contract=0/0, reason=New user IP processing, idle-timeout=120

 

Jul 10 17:16:16 :522050:  <4125> <INFO> |authmgr|  MAC=ec:1f:72:fa:b7:30,IP=100.92.79.239 User data downloaded to datapath, new Role=douglas-stlukes-free-logon/358, bw Contract=0/0, reason=New user IP processing, idle-timeout=120

 

 

So the issue seems to be that the controller somehow remembers the role of the client even though the client is switching between the two SSID's.

 

Anyone experienced something like this before?

 

Sorry if I posted in the wrong section, not quite sure where to put this

Guru Elite

Re: User obtaining old role when switching SSID's with separate VLAN's and wired AAA profiles

Please open a TAC case in parallel with this post.  There are so many places that this could run into trouble, it would be best to have TAC work on it.  I have never configured things as you mention, and others who have might want to help, however..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: User obtaining old role when switching SSID's with separate VLAN's and wired AAA profiles

Thanks for the reply, we have opened a parallel tac case as well. Just trying our luck here too

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: