dhanraj_puduchery@yahoo.com wrote:
Hi,
If we do not map any VLAN to the VAP,client will get IP address from the subnet where AP is connected if it is a open SSID (without authentication).
Always VLAN mapped by the role and VLAN mapped by the SDR/VSA will take precedence over the VLAN mapped to the VAP. hence we nee dnot much worry about the VLAN mapped to the VAP.
If you can share the output of "show user mac <Client_ MAC>" and "show auth tracebuff", I can understand your issue and help you to fix.
Please feel free for any further query on this.
Hi,
Our Radius (Microsoft NPS) returns the vlan based the authentication.
(WCTDF004) #show user mac 4c:b1:99:dc:a5:52
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
u - User Index
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- ------ ------ -----
Name: zemarcio, IP: 172.16.113.24, MAC: 4c:b1:99:dc:a5:52, Role:BCB_User_Vap_Guest, ACL:52/0, Age: 00:00:23
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius_vap_guest_sbcdf046
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: default for authentication type 802.1x
VLAN Derivation: Aruba VSA
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 1120, Assigned: 1112, Current: 1112 vlan-how: 4 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0x1041, Port=0x1126 (tunnel 166)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
Current Role name: BCB_User_Vap_Guest, role-how: 1, L2-role: BCB_User_Vap_Guest, L3-role: BCB_User_Vap_Guest
Essid: BCB-Visitante, Bssid: 00:1a:1e:63:df:c1 AP name/group: -2.Dired/default Phy-type: g-HT
RadAcct sessionID:zem4CB199DCA552-13F1AF
RadAcct Traffic In 728/60670 Out 153/64037 (0:728/0:0:0:60670,0:153/0:0:0:64037)
Timers: ping_reply 0, spoof reply 0, reauth 0
Profiles AAA:aaa_dot1x_bcb_vap_guest, dot1x:l2_dot1x_bcb_vap_guest, mac: CP: def-role:'denyall' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 0
IP Born: 1423237687 (Fri Feb 6 13:48:07 2015)
Core User Born: 1423237686 (Fri Feb 6 13:48:06 2015)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 172.16.113.24, from DHCP server 0.0.0.0
Device Type: iPhone4,1/7.1.2 (11D257)
Flags: W: WMM client, A: Active, K: 802.11K client, B: Band Steerable
PHY Details: HT: High throughput; 20: 20MHz; 40: 40MHz
<n>ss: <n> spatial streams
Association Table
-----------------
Name bssid mac auth assoc aid l-int essid vlan-id tunnel-id phy assoc. time num assoc Flags
---- ----- --- ---- ----- --- ----- ----- ------- --------- --- ----------- --------- -----
show auth
Feb 6 14:15:04 station-up * 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 - - wpa2 aes
Feb 6 14:15:04 eap-id-req <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 1 5
Feb 6 14:15:04 eap-id-resp -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 1 18 zemarcio
Feb 6 14:15:04 rad-req -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 65420 206
Feb 6 14:15:04 rad-resp <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 65420 90
Feb 6 14:15:04 eap-req <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 2 6
Feb 6 14:15:04 eap-resp -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 2 152
Feb 6 14:15:04 rad-req -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 54 378
Feb 6 14:15:04 rad-resp <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 54 1188
Feb 6 14:15:04 eap-req <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 3 1096
Feb 6 14:15:04 eap-resp -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 3 6
Feb 6 14:15:04 rad-req -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 49 232
Feb 6 14:15:04 rad-resp <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 49 589
Feb 6 14:15:04 eap-req <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 4 503
Feb 6 14:15:04 eap-resp -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 4 220
Feb 6 14:15:04 rad-req -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 12 446
Feb 6 14:15:04 rad-resp <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 12 153
Feb 6 14:15:04 eap-req <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 5 69
Feb 6 14:15:04 eap-resp -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 5 6
Feb 6 14:15:04 rad-req -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 58 232
Feb 6 14:15:04 rad-resp <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 58 127
Feb 6 14:15:04 eap-req <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 6 43
Feb 6 14:15:04 eap-resp -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 6 59
Feb 6 14:15:04 rad-req -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 65494 285
Feb 6 14:15:04 rad-resp <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 65494 143
Feb 6 14:15:04 eap-req <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 7 59
Feb 6 14:15:04 eap-resp -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 7 59
Feb 6 14:15:04 rad-req -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 65501 285
Feb 6 14:15:04 rad-resp <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 65501 159
Feb 6 14:15:04 eap-req <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 8 75
Feb 6 14:15:04 eap-resp -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 8 107
Feb 6 14:15:04 rad-req -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 65432 333
Feb 6 14:15:04 rad-resp <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 65432 175
Feb 6 14:15:04 eap-req <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 9 91
Feb 6 14:15:04 eap-resp -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 9 43
Feb 6 14:15:04 rad-req -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 65436 269
Feb 6 14:15:04 rad-resp <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 65436 191
Feb 6 14:15:04 eap-req <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 11 107
Feb 6 14:15:04 eap-resp -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 11 43
Feb 6 14:15:04 rad-req -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 51 269
Feb 6 14:15:04 rad-accept <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046 51 291
Feb 6 14:15:04 eap-success <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 11 4
Feb 6 14:15:04 assg-vlan-req * 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 1120 1112 assignment during station auth
Feb 6 14:15:04 assg-vlan-resp * 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 - 1112
Feb 6 14:15:04 station-data-ready * 4c:b1:99:dc:a5:52 00:00:00:00:00:00 1120 1112
Feb 6 14:15:04 wpa2-key1 <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 - 117
Feb 6 14:15:04 station-data-ready_ack * 4c:b1:99:dc:a5:52 00:00:00:00:00:00 1120 1112
Feb 6 14:15:04 wpa2-key2 -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 - 117
Feb 6 14:15:04 wpa2-key3 <- 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 - 151
Feb 6 14:15:04 wpa2-key4 -> 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 - 95
Feb 6 14:16:05 station-down * 4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 - -