I have configured a switch with MAC auth from a RADIUS server, with both an authorised and unauthorised VLAN.
Unauthenticated clients work fine - the request hits RADIUS, is denied, and they end up in the unauth VID. Authorised clients don't work, and I cannot understand what is happening.
The log displays the following:
W 01/02/90 04:13:19 02403 dca: macAuth client tagged VLANs arbitration error,MAC 38EAA7880001 port 1.
The relevant config for the port is as follows:
aaa port-access mac-based 1-22aaa port-access mac-based 1 auth-vid 100aaa port-access mac-based 1 unauth-vid 200
vlan 100name "VOICE VLAN"untagged 24tagged 1-23ip address 184.108.40.206 255.255.255.0exitvlan 200name "DATA VLAN"untagged 1-23,25-28ip address 192.168.1.220 255.255.255.0exit
I've looked through the documentation but cannot see an explanation for this error message. Clearly the issue is to do with tagged VLAN assignment but cannot get what needs to change to make this work.
The desired behaviour is that clients not auth'd end up in VLAN 200 but auth'd clients end up in VLAN 100.
Thanks in advance!
Is 220.127.116.11/24 the correct subnet for VLAN 100. That would fall under a public IP range, and your routing may be trying to reach it externally instead of internally.
Fair point! No I changed it to protect the innocent. Good spot though.
For anyone finding this from Google etc. I solved this myself.
The issue was that I had erroneously assigned the voice VLAN to the ports in the VLAN config. I removed the "tagged 1-23" statement from VLAN 100's definition and it works like a charm!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.