Wireless Access

last person joined: 7 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

AP205H - Mac auth connection issue

  • 1.  AP205H - Mac auth connection issue

    Posted Mar 02, 2017 10:33 PM
    I have configured an AP205H to perform dot1x and MAC auth on eth1-3.
    When a laptop performs dot1x authentication the VLAN and role is pushed from the CPPM and the device receives an IP and everything is good.

    I have a few presentation devices that will only do MAC Auth. I can see the auth request coming into CPPM and the appropriate VLAN and role being pushed back to the controller. The device even receives an IP address, but I am unable to contact the device at all.
    When I run the show datapath command I see traffic trying to hit the device but all the attempts come with the flags FYI, FCI.

    Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
    --------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- ---------------
    192.168.xx.xxx 192.168.xx.xxx 1 2464 0 0/0 0 0 0 pc1 4 0 0 FYI
    192.168.xx.xxx 192.168.xx.xxx 1 2463 0 0/0 0 0 1 pc1 8 0 0 FYI
    192.168.xx.xxx 192.168.xx.xxx 1 2464 2048 0/0 0 0 0 pc1 4 1 60 FCI
    192.168.xxx.xxx 192.168.xx.xxx 1 2463 2048 0/0 0 0 1 pc1 8 1 60 FCI

    Any ideas what might be going on? I am currently just trying to ping the device and access it via HTTP.


  • 2.  RE: AP205H - Mac auth connection issue

    Posted Mar 03, 2017 06:35 AM

    Can you test with another device?

    The datapath session just shows it not responding, assuming we're looking at the correct addresses.


    Edit: The role the client is assigned allows HTTP and ping right?


  • 3.  RE: AP205H - Mac auth connection issue

    Posted Mar 03, 2017 07:10 AM


    I have tried testing with a voip phone that is also doing mac auth.

    The samething appears to occur, although with the voip phone it doesn't get an IP address, unlike the presentation device.


    I can try with a printer to see if it is able to communicate.


    I believe the datapath is correct. I got the mac address of the device and looked that up in the user-table to see if a session had been established on the controller. That is where I got the IP address for the device from.


    The role that is assigned does indeed allow http and ping yes. I even tried assigning a different role that less restrictive, and still no dice.

  • 4.  RE: AP205H - Mac auth connection issue

    Posted Mar 03, 2017 08:02 AM

    I have tried testing with a printer.

    In this case I don't even get a session on the controller for the printer. I see the CPPM processing the request and sending back the appropriate information, but when I view the user table I do not see the printer.


    For the wired ports on the AP205H I have configured them in "tunnel" mode and I left the default vlan settings. Is this correct? Or have I done something wrong with these settings?

  • 5.  RE: AP205H - Mac auth connection issue

    Posted Mar 03, 2017 08:18 AM
    You'll need to set the correct VLAN. VLAN 1 is the default in the wired AP Profile, I assume you're not using that VLAN?

  • 6.  RE: AP205H - Mac auth connection issue

    Posted Mar 03, 2017 08:28 AM

    You are correct that I am not using vlan 1.


    I was under the impression though that the VLAN setting would be pushed from the CPPM? Similar to how it works on the wired ports of a switch.


    The CPPM currently is pushing back the VLAN and role information. When I plug in a laptop and the laptop does do1x, it is placed into the correct VLAN and is able to communicate without an issue.

  • 7.  RE: AP205H - Mac auth connection issue

    Posted Mar 03, 2017 09:03 AM

    With 802.1x the VLAN is assigned after the device authenticates.  With wired mac authentication, there is a race condition for whether or not the device ends up in the previous VLAN or authentication makes it back in time to put it into the radius returned VLAN.  The device will be assigned the initial VLAN if the radius result does not make it back on time.  A device will ALSO not make it into the user table unless it passes traffic with the source address being the ip address of the device.  I would enable using debugging for that user to see what is going on.


    config t

    logging level debugging user-debug <mac address of device>


    try to authenticate.



    show log user-debug all

  • 8.  RE: AP205H - Mac auth connection issue

    Posted Mar 03, 2017 09:07 AM
    Thank you for the explanation cjoseph. I will do this debugging hopefully later today and report back what I find!


  • 9.  RE: AP205H - Mac auth connection issue

    Posted Mar 06, 2017 04:43 PM

    I was finally able to do some testing today.


    From the log, it seems as though the client controller is getting the information to update the VLAN ID, but it isn't actually happening maybe?

    Mar 6 17:28:51 :522167:  <DBUG> |authmgr|  update_wired_station_vlan: adding bridge entry for vlan 1 assigned_vlan 47.
    Mar 6 17:28:51 :522167:  <DBUG> |authmgr|  update_wired_station_vlan: adding bridge entry for vlan 47 assigned_vlan 47.
    Mar 6 17:28:51 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for xx:xx:xx:xx:b9:b6 vlan 47 fwdmode 0 derivation_type VLAN exported.
    Mar 6 17:28:51 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user xx:xx:xx:xx:b9:b6 vlan 47 derivation_type VLAN exported index 8.
    Mar 6 17:28:51 :522029:  <INFO> |authmgr|  MAC=xx:xx:xx:xx:b9:b6 Station authenticate: method=MAC, role=NEWROLE///denyall, VLAN=1/47, Derivation=6/11, Value Pair=1
    Mar 6 17:28:51 :522158:  <DBUG> |authmgr|  Role Derivation for user 192.168.xx.xxx-xx:xx:xx:xx:b9:b6-xxxxxxxxb9b6 N/A User authenticated with auth type:Unknown auth type role derivation:0.
    Mar 6 17:28:51 :522318:  <DBUG> |authmgr|  Client xx:xx:xx:xx:b9:b6 idle timeout 300 profile global
    Mar 6 17:28:51 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=xxxxxxxxb9b6 MAC=xx:xx:xx:xx:b9:b6 IP=192.168.xx.xxx role=NEW ROLE VLAN=47 AP=xx:xx:xx:xx:29:3a SSID=N/A AAA profile=ap205h-dot1x-aaa-prof auth method=MAC auth server=CPPM

    The log seems to indicate that the user was successfully authenticated and that the VLAN information was updated. When I check the client on the controller (show user-table), the client has an IP address, but is unpingable.


    I also did what you suggested and set a default vlan. As soon as I did that, everything worked perfectly. The problem though is that I really need the MAC auth to be dynamic because I ultimately don't know what is going to be plugged into the ports.


    Is there a way that I can have the ports on the AP205H act as dumb ports and allow the underlying switch to the handle dot1x requests? I don't have any issues with MAC auth on our Cisco switches.