Wireless Access

Reply
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

incorrect vlan assignment with AAA

Currently a client is using Bradford campus manager (AAA) to tell aruba which role to put clients in. They would like to change the AP's to bridge mode. 

 

Currently, the role assignement and associated role vlan assignment works correctly in tunnel mode. Once the AP's are switched to bridge mode, the client is given the correct role but the vlan assigment shows "vlan default". Below is the output from the same client on tunnel and bridge mode. Any thoughgts? 

 

TUNNELED FACULTY

Nov 1 18:04:24 :522036: <INFO> |authmgr| MAC=20:c9:d0:64:a9:d9 Station DN: BSSID=00:0b:86:7a:1a:00 ESSID=FACULTY VLAN=18 AP-name=AP-COLLEGE-1
Nov 1 18:04:24 :522004: <DBUG> |authmgr| MAC=20:c9:d0:64:a9:d9 ingress 0x10a6 (tunnel 38), u_encr 32, m_encr 32, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Nov 1 18:04:24 :522004: <DBUG> |authmgr| station free: bssid=00:0b:86:7a:1a:00, valid=1, @=0x107ca404
Nov 1 18:04:33 :522035: <INFO> |authmgr| MAC=20:c9:d0:64:a9:d9 Station UP: BSSID=00:0b:86:7a:1a:00 ESSID=FACULTY VLAN=97 AP-name=AP-COLLEGE-1
Nov 1 18:04:33 :522004: <DBUG> |authmgr| MAC=20:c9:d0:64:a9:d9 ingress 0x10a6 (tunnel 38), u_encr 32, m_encr 32, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Nov 1 18:04:33 :522004: <DBUG> |authmgr| station add: Created station with bssid=00:0b:86:7a:1a:00, valid=1, @=0x107ca404
Nov 1 18:04:33 :522004: <DBUG> |authmgr| MAC=20:c9:d0:64:a9:d9 IP=0.0.0.0: MAC auth start: entry-type=L2, bssid=00:0b:86:7a:1a:00, essid=FACULTY sg=CampusManagerGroup
Nov 1 18:04:33 :522035: <INFO> |authmgr| MAC=20:c9:d0:64:a9:d9 Station UP: BSSID=00:0b:86:7a:1a:00 ESSID=FACULTY VLAN=97 AP-name=AP-COLLEGE-1
Nov 1 18:04:33 :522004: <DBUG> |authmgr| MAC=20:c9:d0:64:a9:d9 ingress 0x10a6 (tunnel 38), u_encr 32, m_encr 32, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Nov 1 18:04:33 :522004: <DBUG> |authmgr| station add: Found station with bssid=00:0b:86:7a:1a:00, valid=1, @=0x107ca404
Nov 1 18:04:33 :522038: <INFO> |authmgr| username=20:C9:D0:64:A9:D9 MAC=20:c9:d0:64:a9:d9 IP=0.0.0.0 Authentication result=Authentication Successful method=MAC server=CampusManager
Nov 1 18:04:33 :522004: <DBUG> |authmgr| MAC=20:c9:d0:64:a9:d9 IP=0.0.0.0: MAC auth success: entry-type=L2, bssid=00:0b:86:7a:1a:00
Nov 1 18:04:33 :522042: <INFO> |authmgr| MAC=20:c9:d0:64:a9:d9 Station authenticate(start): method=MAC, role=denyall//, VLAN=97/97/0/0/0, Derivation=10/0, Value Pair=1
Nov 1 18:04:33 :522016: <INFO> |authmgr| MAC=20:c9:d0:64:a9:d9 IP=0.0.0.0 Derived role 'CM-Faculty' from Aruba VSA
Nov 1 18:04:33 :522004: <DBUG> |authmgr| {L2} Update role from denyall to CM-Faculty for IP=0.0.0.0
Nov 1 18:04:33 :522004: <DBUG> |authmgr| download: ip=0.0.0.0 acl=49/0 role=CM-Faculty, Ubwm=0, Dbwm=0 tunl=0x10a6, PA=0, HA=1, RO=0, VPN=0
Nov 1 18:04:33 :522004: <DBUG> |authmgr| Station authenticate has l2 role :CM-Faculty default role denyall logon role logon
Nov 1 18:04:33 :522004: <DBUG> |authmgr| Valid Dot1xct, remote:0, assigned:18, default:97,current:97,termstate:0, wired:0,dot1x enabled:1, psk:1 static:0 bssid=00:0b:86:7a:1a:00
Nov 1 18:04:33 :522004: <DBUG> |authmgr| 20:c9:d0:64:a9:d9: Sending STM new vlan info: vlan 18, AP 00:0b:86:7a:1a:00
Nov 1 18:04:33 :522029: <INFO> |authmgr| MAC=20:c9:d0:64:a9:d9 Station authenticate: method=MAC, role=CM-Faculty//, VLAN=97/18/18/0/0, Derivation=7/6, Value Pair=1
Nov 1 18:04:33 :522008: <NOTI> |authmgr| User authenticated: Name=20:C9:D0:64:A9:D9 MAC=20:c9:d0:64:a9:d9 IP=172.18.200.26 method=MAC server=CampusManager role=CM-Faculty
Nov 1 18:04:33 :522004: <DBUG> |authmgr| {172.18.200.26} autTable ("20:C9:D0:64:A9:D9 Authenticated MAC CM-Faculty ")
Nov 1 18:04:33 :522004: <DBUG> |authmgr| {0.0.0.0} autTable ("20:C9:D0:64:A9:D9 Authenticated MAC CM-Faculty ")
Nov 1 18:04:33 :522004: <DBUG> |authmgr| MAC=20:c9:d0:64:a9:d9 def_vlan 97 derive vlan: 18 auth_type 2 auth_subtype 2

CONNECT BRIDGE

Nov 1 18:05:55 :522036: <INFO> |authmgr| MAC=20:c9:d0:64:a9:d9 Station DN: BSSID=00:0b:86:7a:1a:00 ESSID=FACULTY VLAN=18 AP-name=AP-COLLEGE-1
Nov 1 18:05:55 :522004: <DBUG> |authmgr| MAC=20:c9:d0:64:a9:d9 ingress 0x10a6 (tunnel 38), u_encr 32, m_encr 32, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Nov 1 18:05:55 :522004: <DBUG> |authmgr| station free: bssid=00:0b:86:7a:1a:00, valid=1, @=0x107ca404
Nov 1 18:05:55 :522035: <INFO> |authmgr| MAC=20:c9:d0:64:a9:d9 Station UP: BSSID=00:0b:86:73:b6:28 ESSID=bridgetest VLAN=1 AP-name=test-bridged
Nov 1 18:05:55 :522004: <DBUG> |authmgr| MAC=20:c9:d0:64:a9:d9 ingress 0x0 (vlan 0), u_encr 1, m_encr 1, slotport 0x1040 , type: remote, FW mode: 1, AP IP: 192.168.90.245
Nov 1 18:05:55 :522004: <DBUG> |authmgr| AU1(2), HA1, TAP0, PARP0 OIP0 IIP0 INT0 WD0 FW0 DT1
Nov 1 18:05:55 :522004: <DBUG> |authmgr| MAC=20:c9:d0:64:a9:d9 IP=172.18.200.26 Send mobility delete message, flags=0x0
Nov 1 18:05:55 :522004: <DBUG> |authmgr| {172.18.200.26} datapath entry deleted
Nov 1 18:05:56 :522005: <INFO> |authmgr| MAC=20:c9:d0:64:a9:d9 IP=172.18.200.26 User entry deleted: reason=User Reconnect Cleanup
Nov 1 18:05:56 :522004: <DBUG> |authmgr| MAC=20:c9:d0:64:a9:d9 Send Station delete message to mobility
Nov 1 18:05:56 :522004: <DBUG> |authmgr| 20:c9:d0:64:a9:d9: station datapath entry deleted
Nov 1 18:05:56 :522004: <DBUG> |authmgr| station add: Created station with bssid=00:0b:86:73:b6:28, valid=1, @=0x107ac66c
Nov 1 18:05:56 :522004: <DBUG> |authmgr| MAC=20:c9:d0:64:a9:d9 IP=0.0.0.0: MAC auth start: entry-type=L2, bssid=00:0b:86:73:b6:28, essid=bridgetest sg=CampusManagerGroup
Nov 1 18:05:56 :522038: <INFO> |authmgr| username=20:C9:D0:64:A9:D9 MAC=20:c9:d0:64:a9:d9 IP=0.0.0.0 Authentication result=Authentication Successful method=MAC server=CampusManager
Nov 1 18:05:56 :522004: <DBUG> |authmgr| MAC=20:c9:d0:64:a9:d9 IP=0.0.0.0: MAC auth success: entry-type=L2, bssid=00:0b:86:73:b6:28
Nov 1 18:05:56 :522042: <INFO> |authmgr| MAC=20:c9:d0:64:a9:d9 Station authenticate(start): method=MAC, role=denyall//, VLAN=1/0/0/0/0, Derivation=10/0, Value Pair=1
Nov 1 18:05:56 :522016: <INFO> |authmgr| MAC=20:c9:d0:64:a9:d9 IP=0.0.0.0 Derived role 'CM-Faculty' from Aruba VSA
Nov 1 18:05:56 :522004: <DBUG> |authmgr| {L2} Update role from denyall to CM-Faculty for IP=0.0.0.0
Nov 1 18:05:56 :522004: <DBUG> |authmgr| station_authenticate : Sending SOS_USER_ACTION_SETACL for updation to RAP 192.168.90.245: IP=0.0.0.0, Role: CM-Faculty, ACL:49, authtype:2, ingress=4160
Nov 1 18:05:56 :522004: <DBUG> |authmgr| 20:c9:d0:64:a9:d9: Sending STM new Role ACL : 49, and Vlan info: 1, action : 10, AP IP: 192.168.90.245, flags : 0
Nov 1 18:05:56 :522004: <DBUG> |authmgr| Station authenticate has l2 role :CM-Faculty default role denyall logon role logon
Nov 1 18:05:56 :522004: <DBUG> |authmgr| No dot1xctx, remote:1, assigned:18, default:1,current:0,termstate:0, wired:0,dot1x enabled:1, psk:0 static:0 bssid=00:0b:86:73:b6:28
Nov 1 18:05:56 :522004: <DBUG> |authmgr| Vlan assignment is not needed during station authentication
Nov 1 18:05:56 :522029: <INFO> |authmgr| MAC=20:c9:d0:64:a9:d9 Station authenticate: method=MAC, role=CM-Faculty//, VLAN=1/0/0/0/0, Derivation=7/6, Value Pair=1
Nov 1 18:05:56 :522004: <DBUG> |authmgr| {0.0.0.0} autTable ("20:C9:D0:64:A9:D9 Authenticated MAC CM-Faculty ")

 

Regards,

Josh
___________
ACMP, ACCP
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: incorrect vlan assignment with AAA

VLAN derivation is not supported in Bridged mode, unfortunately.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: incorrect vlan assignment with AAA

Is there any where that I can find that officially in writing? I need to relay this information to the client. Thanks

Regards,

Josh
___________
ACMP, ACCP
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: incorrect vlan assignment with AAA


jclingan wrote:

Is there any where that I can find that officially in writing? I need to relay this information to the client. Thanks


If you open a support case, they can give you an official statement about your specific deployment and specific version of code.

 

This is a forum where anyone can give advice.  Support can give you an official statement.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: incorrect vlan assignment with AAA

I' m currently on with support and they are searching for an official document. Thanks!

Regards,

Josh
___________
ACMP, ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: