Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Problems with role derivation in 802.1X authentication on a remote AP

Jump to Best Answer
  • 1.  Problems with role derivation in 802.1X authentication on a remote AP

    Posted Jan 27, 2014 10:37 AM

    Hi,

     

    On a remote site of our university, I'm trying to deploy a remote AP with the same SSIDs as we have on our central site.

     

    One SSID is based on captive portal authentication. Students or staff connecting to this SSID get a simple web access.

    The forward mode is tunnel, and the operation mode is standard.

     

    The second SSID is based on 802.1X authentication, with roles derivation rules set up on the Server Group Profile.

    The rules fixes the user role according to the value of an attribute sent by a radius server during authentication:

    - if the attribute equals to "student", the role for the user is set to student-role.

    - if the attribute equals to "staff", the role is set to staff-role.

    In this case, the user gets more or less privileges according to his status (staff or student).

     

    For each role, a different role VLAN ID is set, so that the user is placed in the proper VLAN to get his IP address.

    - staff-role, vlan ID = 8,

    - student-role, vlan ID = 10.

     

     

    The forward mode setting for this VAP is bridge mode, and its operation mode is persistent. In case of a failure with our main controller, the connected users can still work on their local IT resources.

    Both VLAN IDs 8 and 10 are set in the VAP Vlans.

    The corresponding AP system profile for the RAP has the native vlan set to 4, which is the vlan on the remote site where all network equipments are placed in.

    The port of the switch on which The RAP is plugged is configured as a trunk for vlan 8 and 10, with native vlan set to 4.

     

    When a user from the staff tries to connect to this SSID, he gets the correct role for the derivation rules: staff-role.

    However, the IP address the user gets is from the student vlan, which I don't understand why.

    I've checked the configuration, and I don't see any reference of vlan 10 linked to staff-role.

     

    Any idea?

     

    The Aruba OS is 5.0.4.13.

     

    Thanks for your help.

     

    Sylvain

     



  • 2.  RE: Problems with role derivation in 802.1X authentication on a remote AP

    Posted Jan 27, 2014 12:36 PM

    I assume the a student user works as expected?

     

    With your staff user in this state (I.e. in the wrong subnet/vlan), do a "show user ip X.X.X.X" at the command line (where X.X.X.X is that user's IP).

     

    Look for a line in the output like "Vlan default: 1234, Assigned: 1234, Current: 1234 vlan-how: 1 DP assigned vlan:0".

     

    What does this show?

     

    If that output also looks wrong, I think it's worth running a aaa-debug on the authentication to see what attributes are returned from the server. Just to be sure.

     



  • 3.  RE: Problems with role derivation in 802.1X authentication on a remote AP
    Best Answer

    Posted Jan 27, 2014 12:50 PM
      |   view attached

    Support for Bridge Mode VLAN derivation began in ArubaOS 6.1 and above:  It is not supported in your version of ArubaOS.  Attached are the 6.1 release notes.

     

    derivation.PNG

    Attachment(s)



  • 4.  RE: Problems with role derivation in 802.1X authentication on a remote AP

    Posted Jan 27, 2014 01:10 PM

    What an excellent point CJ! v5 is a bit old, as is my memory of it clearly!

     



  • 5.  RE: Problems with role derivation in 802.1X authentication on a remote AP

    Posted Jan 28, 2014 03:48 AM

    Thanks for your reply.

     

    I shall be patient, we will be normally upgrading to version 6 this year.