Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

User obtaining old role when switching SSID's with separate VLAN's and wired AAA profiles

  • 1.  User obtaining old role when switching SSID's with separate VLAN's and wired AAA profiles

    Posted Jul 23, 2017 09:08 PM

    Hi, we are currently experiencing a problem wherein we have 2 SSID's namely Free and Auto which runs on an external radius. The issue is when a client connect to the Free SSID or Auto SSID for the first time, the client will get redirected to the right portal (client gets assigned the correct logon role for free or auto). Our issue is when the client switches to the other SSID either from Free to Auto or from Auto to Free, whichever SSID the client first connected to, he will retain the role he obtained. For example, the client connects to Free and is assigned Free-logon and then connects to Auto even without finishing the authentication process on Free, the client will retain the Free-logon role even though the client should obtain the Auto-logon role. Same happens when the client connects to Auto and then transfers to Free after.

     

    So the design is like this. We have a central controller and on a remote site we deployed an HP 8 port switch (N930F) which supports tunneled node. We have 2 VLAN interfaces on the controller which is for the two SSID's free and auto both of which has DHCP enabled. Each VLAN has its own wired AAA profile set and of course are different networks. Here is when things get a bit tricky, the SSID's are actually on a Cisco WLC and broadcasted by Cisco AP's. VLAN's are running through the cisco network via L2.

    Basically the topology is like this:

    Aruba 7240>HP 8 Port Switch>Cisco Catalyst Switch>Cisco WLC>Cisco AP

     

    I enabled debugging on my device and from the logs I can see that I'm obtaining a different the proper IP each time I switch from an SSID and gets assigned a "new" role but the controller seems to assign the old role i obtained from whichever SSID i connected to first. 

     

    We have no issues when testing on a RAP when we created two test SSID's using the two VLAN's. The user role gets updated everytime and we are presented the right captive portal. The issue only occurs when we connect to the Cisco AP's. 

     

    Sample logs:

    Jul 10 17:11:05 :522050:  <4125> <INFO> |authmgr|  MAC=ec:1f:72:fa:b7:30,IP=100.92.95.66 User data downloaded to datapath, new Role=douglas-stlukes-free-logon/358, bw Contract=0/0, reason=New user IP processing, idle-timeout=120

     

    Jul 10 17:16:16 :522050:  <4125> <INFO> |authmgr|  MAC=ec:1f:72:fa:b7:30,IP=100.92.79.239 User data downloaded to datapath, new Role=douglas-stlukes-free-logon/358, bw Contract=0/0, reason=New user IP processing, idle-timeout=120

     

     

    So the issue seems to be that the controller somehow remembers the role of the client even though the client is switching between the two SSID's.

     

    Anyone experienced something like this before?

     

    Sorry if I posted in the wrong section, not quite sure where to put this



  • 2.  RE: User obtaining old role when switching SSID's with separate VLAN's and wired AAA profiles

    Posted Jul 23, 2017 10:10 PM

    Please open a TAC case in parallel with this post.  There are so many places that this could run into trouble, it would be best to have TAC work on it.  I have never configured things as you mention, and others who have might want to help, however..



  • 3.  RE: User obtaining old role when switching SSID's with separate VLAN's and wired AAA profiles

    Posted Jul 24, 2017 01:31 AM

    Thanks for the reply, we have opened a parallel tac case as well. Just trying our luck here too