I face an issue with 802.1x authentication on a wired port of a remote AP.
The wired port is configured for split-tunnel mode, AAA profile points to a MS Win 2008R2 NPS Radius server.
When I plug the client into E1 port of the RAP I get EAP packets and get prompted for credentials.
However, then nothing further happens. On the NPS no event is logged (no deny nor acceppt).
On the Aruba controller with "show auth-tracebuf" eventually shows a timeout of the logon session.
Now, when I set the wired port for tunneled mode, everthing works fine!
Is this a bug or is 802.1x over split-tunnel on wired RAP ports not supported?
In your role for split tunnel, are you allowing access to NPS without source NAT'ing it?
I had the initial role set to "allow all" to make sure clients may reach NPS server. Still didn't work.
On the other hand, we are facing EAP packets which are Layer 2 and should not get filtered by the controllers firewall.
Maybe my setup is faulty after all:
I had the RAP placed inside my VLAN1, which is the same VLANs clients get assigned in my wired profile.
I hook up the RAP to an external ISP line, now it works!
Maybe the RAP gets stuck sending a split tunnel to basically the same network inside and outside the tunnel?
Hows your user-role for split-tunneling configured ?
Make sure that the user-role used for split-tunneling is setup this way :
user any svc-dhcp permit (If DHCP is at the Remote Site)
any <INTERNAL NETWORKS> any permit
any any any route src-nat
Where are you doing the termination on the controller or NPS ?
user role is like this:
any any svc-dhcp allow
any <InternalNet> any allow
user any any route src-nat
EAP-Termination takes place at the NPS server.
Currently using AOS version 184.108.40.206 and using a RAP3 in this scenario.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.