Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

801.1x on wired port of Remote AP with split-tunnel

  • 1.  801.1x on wired port of Remote AP with split-tunnel

    Posted Sep 17, 2015 03:07 AM

    Hello all,

     

    I face an issue with 802.1x authentication on a wired port of a remote AP.

    The wired port is configured for split-tunnel mode, AAA profile points to a MS Win 2008R2 NPS Radius server.

    When I plug the client into E1 port of the RAP I get EAP packets and get prompted for credentials.

    However, then nothing further happens. On the NPS no event is logged (no deny nor acceppt).

    On the Aruba controller with "show auth-tracebuf" eventually shows a timeout of the logon session.

    Now, when I set the wired port for tunneled mode, everthing works fine!

    Is this a bug or is 802.1x over split-tunnel on wired RAP ports not supported?

     

    Kind regards



  • 2.  RE: 801.1x on wired port of Remote AP with split-tunnel

    Posted Sep 17, 2015 11:29 AM

    In your role for split tunnel, are you allowing access to NPS without source NAT'ing it?



  • 3.  RE: 801.1x on wired port of Remote AP with split-tunnel

    Posted Sep 17, 2015 11:38 AM

    I had the initial role set to "allow all" to make sure clients may reach NPS server. Still didn't work.

    On the other hand, we are facing EAP packets which are Layer 2 and should not get filtered by the controllers firewall.

    Maybe my setup is faulty after all:

    I had the RAP placed inside my VLAN1, which is the same VLANs clients get assigned in my wired profile.

    I hook up the RAP to an external ISP line, now it works!

    Maybe the RAP gets stuck sending a split tunnel to basically the same network inside and outside the tunnel?



  • 4.  RE: 801.1x on wired port of Remote AP with split-tunnel

    Posted Sep 17, 2015 01:08 PM

    Hows your user-role for split-tunneling configured ?

     

    Make sure that the user-role used for split-tunneling is setup this way :

    user any svc-dhcp permit (If DHCP is at the Remote Site)

    any <INTERNAL NETWORKS> any permit

    any any any route src-nat

     

    Where are you doing the termination on the controller or NPS ?

     

     



  • 5.  RE: 801.1x on wired port of Remote AP with split-tunnel

    Posted Sep 18, 2015 10:11 AM

    Hi,

     

    user role is like this:

     

    any any svc-dhcp allow

    any <InternalNet> any allow

    user any any route src-nat

     

    EAP-Termination takes place at the NPS server.

     

    Thanks!



  • 6.  RE: 801.1x on wired port of Remote AP with split-tunnel

    Posted Sep 18, 2015 12:28 PM
    What version of AOS are you using and what type of RAP ?


  • 7.  RE: 801.1x on wired port of Remote AP with split-tunnel

    Posted Sep 21, 2015 02:57 AM

    Currently using AOS version 6.4.3.2 and using a RAP3 in this scenario.

     

    Thanks.