Wireless Access

Reply
Frequent Contributor I
Posts: 76
Registered: ‎11-23-2010

What happens if I do not set VLAN ID at a Virtual AP?

We have a VAP without VLAN ID configured.

And we have this condition:

 

aaa server-group "server_grp_auth_radius_vap_guest"
auth-server radius_vap_guest_sbcdf046
auth-server radius_vap_guest_sbcdf047
set vlan condition Class equals "1112" set-value 1112

 

They work at tunnel mode and work well until now, but at the switch core, a client mac address appears in double at MAC table, in vlan 1112 and vlan 2160 (controllers vlan).

 

Is it a bad design?

 

 

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: What happens if I do not set VLAN ID at a Virtual AP?

Is not a bad design , I have done similar setups like yours.

 

Do you have any other SSIDs using that VLAN that the client might have connected before and that's why it is showing up in the ARP table ?

 

What type of authentication are you using ?

What's the default role that the user gets ?

 

If you enable the following :

logging level debugging security process authmgr

logging level debugging security subcat aaa

 

then do a show log security all | include <device mac>

 

And this will allow you to see what VLANs the device is getting during the authentication process

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: What happens if I do not set VLAN ID at a Virtual AP?

Hi,

 

If we do not map any VLAN to the VAP,client will get IP address from the subnet where AP is connected if it is a open SSID (without authentication).

 

Always VLAN mapped by the role and VLAN mapped by the SDR/VSA will take precedence over the VLAN mapped to the VAP. hence we nee dnot much worry about the VLAN mapped to the VAP.

 

If you can share the output of "show user mac <Client_ MAC>" and "show auth tracebuff", I can understand your issue and help you to fix.

 

Please feel free for any further query on this.

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Frequent Contributor I
Posts: 76
Registered: ‎11-23-2010

Re: What happens if I do not set VLAN ID at a Virtual AP?


victorfabian wrote:

Is not a bad design , I have done similar setups like yours.

 

Do you have any other SSIDs using that VLAN that the client might have connected before and that's why it is showing up in the ARP table ?

 

What type of authentication are you using ?

What's the default role that the user gets ?

 

If you enable the following :

logging level debugging security process authmgr

logging level debugging security subcat aaa

 

then do a show log security all | include <device mac>

 

And this will allow you to see what VLANs the device is getting during the authentication process

 


 We don't have other SSID using the VLAN 1112.

We use 802.1x PEAP

 

Our config:

 

 

user-role BCB_User_Vap_Guest
access-list session validuser
!
aaa authentication dot1x "l2_dot1x_bcb_vap_guest"
max-authentication-failures 5
machine-authentication machine-default-role "denyall"
machine-authentication user-default-role "denyall"
!
aaa server-group "server_grp_auth_radius_vap_guest"
auth-server radius_vap_guest_sbcdf046
auth-server radius_vap_guest_sbcdf047
set vlan condition Class equals "1112" set-value 1112
! aaa profile "aaa_dot1x_bcb_vap_guest" initial-role "denyall" mac-default-role "denyall" authentication-dot1x "l2_dot1x_bcb_vap_guest" dot1x-default-role "BCB_User_Vap_Guest" dot1x-server-group "server_grp_auth_radius_vap_guest" radius-accounting "server_grp_auth_radius_vap_guest"

 My log

(WCTDF004) #show log security all | include 4c:b1:99:dc:a5:52
Feb 6 13:34:13 :124004:  <DBUG> |authmgr|  Setting user 4c:b1:99:dc:a5:52 aaa profile to aaa_dot1x_bcb_vap_guest, reason: ncfg_get_wireless_aaa_prof
Feb 6 13:34:13 :124004:  <DBUG> |authmgr|  Setting user 4c:b1:99:dc:a5:52 aaa profile to aaa_dot1x_bcb_vap_guest, reason: ncfg_set_aaa_profile_defaults
Feb 6 13:34:13 :124004:  <DBUG> |authmgr|  MM: mac=4c:b1:99:dc:a5:52, state=4, name=zemarcio, role=BCB_User_Vap_Guest, dev_type=iPhone, ip=172.16.113.24
Feb 6 13:34:14 :124004:  <DBUG> |authmgr|  Save Class in station for MAC 4c:b1:99:dc:a5:52
Feb 6 13:34:14 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=802.1x, server=radius_vap_guest_sbcdf046, user=4c:b1:99:dc:a5:52
Feb 6 13:34:14 :124004:  <DBUG> |authmgr|  Adding user: 2c33a60c (4c:b1:99:dc:a5:52:N/A:zemarcio) to ap group:WCTDF004_Acesso ap group id: 763 role:BCB_User_Vap_Guest
Feb 6 13:34:14 :124004:  <DBUG> |authmgr|  MM: mac=4c:b1:99:dc:a5:52, state=3, name=zemarcio, role=BCB_User_Vap_Guest, dev_type=iPhone, ip=172.16.113.24
Feb 6 13:34:14 :124004:  <DBUG> |authmgr|  MM: mac=4c:b1:99:dc:a5:52, state=3, name=zemarcio, role=BCB_User_Vap_Guest, dev_type=iPhone, ip=172.16.113.24
Feb 6 13:34:14 :132066:  <INFO> |authmgr|  Station4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 -2.Dired 1112 33552 VLAN has been updated

 

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: What happens if I do not set VLAN ID at a Virtual AP?

Based on the logs your device is getting the right VLAN.

 

My question was in regards to the Management VLAN 2160 is you have this VLAN assigned on another VAP or User-Role ?

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 76
Registered: ‎11-23-2010

Re: What happens if I do not set VLAN ID at a Virtual AP?

We don't have vlan 2160 assigned to VAP or user-role.

Frequent Contributor I
Posts: 76
Registered: ‎11-23-2010

Re: What happens if I do not set VLAN ID at a Virtual AP?


dhanraj_puduchery@yahoo.com wrote:

Hi,

 

If we do not map any VLAN to the VAP,client will get IP address from the subnet where AP is connected if it is a open SSID (without authentication).

 

Always VLAN mapped by the role and VLAN mapped by the SDR/VSA will take precedence over the VLAN mapped to the VAP. hence we nee dnot much worry about the VLAN mapped to the VAP.

 

If you can share the output of "show user mac <Client_ MAC>" and "show auth tracebuff", I can understand your issue and help you to fix.

 

Please feel free for any further query on this.


Hi,

Our Radius (Microsoft NPS) returns the vlan based the authentication.

 

(WCTDF004) #show user mac 4c:b1:99:dc:a5:52

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       u - User Index

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- ------ ------ -----



Name: zemarcio, IP: 172.16.113.24, MAC: 4c:b1:99:dc:a5:52, Role:BCB_User_Vap_Guest, ACL:52/0, Age: 00:00:23
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius_vap_guest_sbcdf046
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: default for authentication type 802.1x
VLAN Derivation: Aruba VSA
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 1120, Assigned: 1112, Current: 1112 vlan-how: 4 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0x1041, Port=0x1126 (tunnel 166)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
    Current Role name: BCB_User_Vap_Guest, role-how: 1, L2-role: BCB_User_Vap_Guest, L3-role: BCB_User_Vap_Guest
Essid: BCB-Visitante, Bssid: 00:1a:1e:63:df:c1 AP name/group: -2.Dired/default Phy-type: g-HT
RadAcct sessionID:zem4CB199DCA552-13F1AF
RadAcct Traffic In 728/60670 Out 153/64037 (0:728/0:0:0:60670,0:153/0:0:0:64037)
Timers: ping_reply 0, spoof reply 0, reauth 0
Profiles AAA:aaa_dot1x_bcb_vap_guest, dot1x:l2_dot1x_bcb_vap_guest, mac: CP: def-role:'denyall' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 0
IP Born: 1423237687 (Fri Feb  6 13:48:07 2015)
Core User Born: 1423237686 (Fri Feb  6 13:48:06 2015)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 172.16.113.24, from DHCP server 0.0.0.0
Device Type: iPhone4,1/7.1.2 (11D257)


Flags: W: WMM client, A: Active, K: 802.11K client, B: Band Steerable

PHY Details: HT: High throughput; 20: 20MHz; 40: 40MHz
             <n>ss: <n> spatial streams

Association Table
-----------------
Name  bssid  mac  auth  assoc  aid  l-int  essid  vlan-id  tunnel-id  phy  assoc. time  num assoc  Flags
----  -----  ---  ----  -----  ---  -----  -----  -------  ---------  ---  -----------  ---------  -----

 show auth

Feb  6 14:15:04  station-up             *  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      -     wpa2 aes
Feb  6 14:15:04  eap-id-req            <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            1      5
Feb  6 14:15:04  eap-id-resp           ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            1      18    zemarcio
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            65420  206
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65420  90
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            2      6
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            2      152
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  54     378
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  54     1188
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            3      1096
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            3      6
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  49     232
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  49     589
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            4      503
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            4      220
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  12     446
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  12     153
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            5      69
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            5      6
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  58     232
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  58     127
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            6      43
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            6      59
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65494  285
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65494  143
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            7      59
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            7      59
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65501  285
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65501  159
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            8      75
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            8      107
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65432  333
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65432  175
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            9      91
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            9      43
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65436  269
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65436  191
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            11     107
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            11     43
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  51     269
Feb  6 14:15:04  rad-accept            <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  51     291
Feb  6 14:15:04  eap-success           <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            11     4
Feb  6 14:15:04  assg-vlan-req          *  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            1120   1112  assignment during station auth
Feb  6 14:15:04  assg-vlan-resp         *  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      1112
Feb  6 14:15:04  station-data-ready     *  4c:b1:99:dc:a5:52  00:00:00:00:00:00                            1120   1112
Feb  6 14:15:04  wpa2-key1             <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      117
Feb  6 14:15:04  station-data-ready_ack *  4c:b1:99:dc:a5:52  00:00:00:00:00:00                            1120   1112
Feb  6 14:15:04  wpa2-key2             ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      117
Feb  6 14:15:04  wpa2-key3             <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      151
Feb  6 14:15:04  wpa2-key4             ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      95
Feb  6 14:16:05  station-down           *  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      -

 

Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: What happens if I do not set VLAN ID at a Virtual AP?

Hi,

 

What is the expected  VLAN to this client, is it VLAN 1112 or any other ? I'm seeing VLAN 1112 was assigned through the Aruba VSA.

 

Please feel for any further help on this.

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Frequent Contributor I
Posts: 76
Registered: ‎11-23-2010

Re: What happens if I do not set VLAN ID at a Virtual AP?

VLAN 1112 is expected and is working fine. My doubt is if this configuration without a vlan ID at VAP could cause security problems or it isn't a good practice.

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: What happens if I do not set VLAN ID at a Virtual AP?

Is not bad practice and actually more secure to implement it that way because users will only get that VLAN if they meet the condition defined in SDR and the Radius server instead getting that by default on the VAP
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: