Can you test with another device?The datapath session just shows it not responding, assuming we're looking at the correct addresses.
Edit: The role the client is assigned allows HTTP and ping right?
I have tried testing with a voip phone that is also doing mac auth.
The samething appears to occur, although with the voip phone it doesn't get an IP address, unlike the presentation device.
I can try with a printer to see if it is able to communicate.
I believe the datapath is correct. I got the mac address of the device and looked that up in the user-table to see if a session had been established on the controller. That is where I got the IP address for the device from.
The role that is assigned does indeed allow http and ping yes. I even tried assigning a different role that less restrictive, and still no dice.
I have tried testing with a printer.
In this case I don't even get a session on the controller for the printer. I see the CPPM processing the request and sending back the appropriate information, but when I view the user table I do not see the printer.
For the wired ports on the AP205H I have configured them in "tunnel" mode and I left the default vlan settings. Is this correct? Or have I done something wrong with these settings?
You are correct that I am not using vlan 1.
I was under the impression though that the VLAN setting would be pushed from the CPPM? Similar to how it works on the wired ports of a switch.
The CPPM currently is pushing back the VLAN and role information. When I plug in a laptop and the laptop does do1x, it is placed into the correct VLAN and is able to communicate without an issue.
With 802.1x the VLAN is assigned after the device authenticates. With wired mac authentication, there is a race condition for whether or not the device ends up in the previous VLAN or authentication makes it back in time to put it into the radius returned VLAN. The device will be assigned the initial VLAN if the radius result does not make it back on time. A device will ALSO not make it into the user table unless it passes traffic with the source address being the ip address of the device. I would enable using debugging for that user to see what is going on.
logging level debugging user-debug <mac address of device>
try to authenticate.
show log user-debug all
I was finally able to do some testing today.
From the log, it seems as though the client controller is getting the information to update the VLAN ID, but it isn't actually happening maybe?
Mar 6 17:28:51 :522167: <DBUG> |authmgr| update_wired_station_vlan: adding bridge entry for vlan 1 assigned_vlan 47.
Mar 6 17:28:51 :522167: <DBUG> |authmgr| update_wired_station_vlan: adding bridge entry for vlan 47 assigned_vlan 47.
Mar 6 17:28:51 :522255: <DBUG> |authmgr| "VDR - set vlan in user for xx:xx:xx:xx:b9:b6 vlan 47 fwdmode 0 derivation_type VLAN exported.
Mar 6 17:28:51 :522258: <DBUG> |authmgr| "VDR - Add to history of user user xx:xx:xx:xx:b9:b6 vlan 47 derivation_type VLAN exported index 8.
Mar 6 17:28:51 :522029: <INFO> |authmgr| MAC=xx:xx:xx:xx:b9:b6 Station authenticate: method=MAC, role=NEWROLE///denyall, VLAN=1/47, Derivation=6/11, Value Pair=1
Mar 6 17:28:51 :522158: <DBUG> |authmgr| Role Derivation for user 192.168.xx.xxx-xx:xx:xx:xx:b9:b6-xxxxxxxxb9b6 N/A User authenticated with auth type:Unknown auth type role derivation:0.
Mar 6 17:28:51 :522318: <DBUG> |authmgr| Client xx:xx:xx:xx:b9:b6 idle timeout 300 profile global
Mar 6 17:28:51 :522008: <NOTI> |authmgr| User Authentication Successful: username=xxxxxxxxb9b6 MAC=xx:xx:xx:xx:b9:b6 IP=192.168.xx.xxx role=NEW ROLE VLAN=47 AP=xx:xx:xx:xx:29:3a SSID=N/A AAA profile=ap205h-dot1x-aaa-prof auth method=MAC auth server=CPPM
The log seems to indicate that the user was successfully authenticated and that the VLAN information was updated. When I check the client on the controller (show user-table), the client has an IP address, but is unpingable.
I also did what you suggested and set a default vlan. As soon as I did that, everything worked perfectly. The problem though is that I really need the MAC auth to be dynamic because I ultimately don't know what is going to be plugged into the ports.
Is there a way that I can have the ports on the AP205H act as dumb ports and allow the underlying switch to the handle dot1x requests? I don't have any issues with MAC auth on our Cisco switches.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.