Security

last person joined: 17 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Problems with MAC authentication + RADIUS on Aruba switch

Jump to Best Answer
  • 1.  Problems with MAC authentication + RADIUS on Aruba switch

    Posted Feb 19, 2020 10:09 AM

    I have configured a switch with MAC auth from a RADIUS server, with both an authorised and unauthorised VLAN. 

     

    Unauthenticated clients work fine - the request hits RADIUS, is denied, and they end up in the unauth VID. Authorised clients don't work, and I cannot understand what is happening. 

     

    The log displays the following:

     

    W 01/02/90 04:13:19 02403 dca: macAuth client tagged VLANs arbitration error,
    MAC 38EAA7880001 port 1.

     

    The relevant config for the port is as follows:

     

    aaa port-access mac-based 1-22
    aaa port-access mac-based 1 auth-vid 100
    aaa port-access mac-based 1 unauth-vid 200

     

    vlan 100
    name "VOICE VLAN"
    untagged 24
    tagged 1-23
    ip address 172.2.1.2 255.255.255.0
    exit
    vlan 200
    name "DATA VLAN"
    untagged 1-23,25-28
    ip address 192.168.1.220 255.255.255.0
    exit

     

    I've looked through the documentation but cannot see an explanation for this error message. Clearly the issue is to do with tagged VLAN assignment but cannot get what needs to change to make this work.

     

    The desired behaviour is that clients not auth'd end up in VLAN 200 but auth'd clients end up in VLAN 100.

     

    Thanks in advance! 



  • 2.  RE: Problems with MAC authentication + RADIUS on Aruba switch

    Posted Feb 19, 2020 10:37 AM

    Is 172.2.1.0/24 the correct subnet for VLAN 100. That would fall under a public IP range, and your routing may be trying to reach it externally instead of internally.

     



  • 3.  RE: Problems with MAC authentication + RADIUS on Aruba switch

    Posted Feb 19, 2020 10:55 AM

    Fair point! No I changed it to protect the innocent. Good spot though.



  • 4.  RE: Problems with MAC authentication + RADIUS on Aruba switch
    Best Answer

    Posted Feb 20, 2020 04:17 AM

    For anyone finding this from Google etc. I solved this myself.

     

    The issue was that I had erroneously assigned the voice VLAN to the ports in the VLAN config. I removed the "tagged 1-23" statement from VLAN 100's definition and it works like a charm!