Wireless Access

last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Clients not getting DHCP after passing mac authentication

Jump to Best Answer
  • 1.  Clients not getting DHCP after passing mac authentication

    Posted Apr 29, 2014 08:54 AM

    For one of our SSIDs we have been using 802.1x authentication. For added security, we added mac address filtering to the SSID as well. Since this, we are having random issues with DHCP not being assigned to a user, causing users to get 169.254.x.x addresses.

     

    I have the AAA initial role and 802.1x role set to denyall, and mac authentication role set to logon. If I go to the client list and search for 169.254.x.x user, I can see that they have passed MAC authentication and they are assigned the logon role.

     

    I also noticed that for the clients that DO get DHCP, the active connection time (i.e. age) never seems to be longer than 6 minutes or so. On top of this, if I search for a specific mac address in the client list, sometimes there will be multiple entries for that user. 

     

    Any idea what could be causing this hiccup in service? We are running ArubaOS 5.0.4.1



  • 2.  RE: Clients not getting DHCP after passing mac authentication

    Posted Apr 29, 2014 09:13 AM

    Did u changed something under AAA-Advanced?

    Capture.PNG

    Please re-configure it to the defualt settings:

    http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-show-aaa-timers/td-p/900

    http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/aaa-timers/td-p/7417

     

    in Aruba OS UG 6.1, page 323.

    There is a command in the AAA-profile called l2-auth-fail-through;

    "Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and 802.1x authentication. When MAC authentication fails, enable the l2-auth-fail-through command to perform 802.1x authentication."

     

    Also - why is your 802.1x role is set to denyall? :smileysurprised:

     

    more reading here: (might be helpful)

    http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Mac-Authentication-Problem/td-p/136911

     

     



  • 3.  RE: Clients not getting DHCP after passing mac authentication

    Posted Apr 29, 2014 09:55 AM

    @kdisc98 wrote:

    Did u changed something under AAA-Advanced?

    Capture.PNG

    Please re-configure it to the defualt settings:

    http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-show-aaa-timers/td-p/900

    http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/aaa-timers/td-p/7417

     

    in Aruba OS UG 6.1, page 323.

    There is a command in the AAA-profile called l2-auth-fail-through;

    "Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and 802.1x authentication. When MAC authentication fails, enable the l2-auth-fail-through command to perform 802.1x authentication."

     

    Also - why is your 802.1x role is set to denyall? :smileysurprised:

     

    more reading here: (might be helpful)

    http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Mac-Authentication-Problem/td-p/136911

     

     


     

    my AAA numbers match exactly what you have in the screenshot

     

    In regards to setting up l2-auth-fail-through, I do not want users to be able to authenticate 802.1x if mac authentication fails. A client machine needs to pass BOTH tests in order to get DHCP. Either way, I don't believe that option is available in ArubaOS 5.0

     

    "Also - why is your 802.1x role is set to denyall?"

    I had it set to logon yesterday when nothing was working so I tried setting it to denyall to see if that changed anything, but the same symtpoms remain

     

     

    I came across someone mentioning they had DHCP problems when the initial role was set to denyall. To test this, I took off the mac authentication profile, left the intial role as denyall and set the 802.1x role to logon. With this config, I get the same DHCP issue. If I set the intial role to logon, everything works as expected.

     

    If I want to implement the MAC authentication list, then leaving the intial role as logon does not work. It will let clients through after only passing 802.1x authentication.



  • 4.  RE: Clients not getting DHCP after passing mac authentication
    Best Answer

    Posted Apr 29, 2014 11:09 AM

    After talking with a technician, the first step we're trying is a config command that'll strip out duplicate entries from the user table. This change seems to be working so far, I will comment back after a little while to confirm if this fix works or not

     

    aaa user fast-age

     

    Read more about it here: http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/aaa-user-fast-age/td-p/78848



  • 5.  RE: Clients not getting DHCP after passing mac authentication

    Posted Apr 29, 2014 09:22 AM