We are using a SSID for BYOD clients. Also, 802.1x authentication is in place. Users are required to enter thier active directory username and password to login to wireless network. We are using EAP-PEAP. The issue we are facing is follows:
(1) A client logs in to wireless network and gets a vlan which is set default in VAP profile. However we are using server rules on the controller.
(2) The user must be put in to a vlan according to the rules specified. I have read on a aruba support forum that if machine authentication fails the user has been put in default vlan specified under vap profile. Because machine information for BYOD devices are not present on our active directory thus most of the clients are put in default vlan though they should be assigned vlan according to server rules based on radius attribute. This does not happen with all the clients but initial login always puts a client in defualt vlan in result of which a user shows up twice on the controller having IP addresses from both the vlans such as 172.16.0.3 and 192.168.100.3.
Any ideas what might be causing it? It appears that clients are later put into the respective vlans but at initial login they get IP from default vlan.
Following is the link which talks about default VLAN:
Please post your server rules.
It looks like you have "Enforce Machine Authentication" enabled in your 802.1x profile. When "Enforce Machine Authentication" is enabled, the server rules are ignored unless a device passes BOTH user AND machine authentication. That means BYOD devices will never have those server derivation rules executed, because they will never pass machine authentication. Users who do not pass machine authentication will get the 802.1x enforce machine authentication user role. If there is a VLAN defined in the Virtual AP, they will get that VLAN.
Looking at your server derivation rules again, I see that you are trying to assign a VLAN and a Role at the same time. Only the first server derivation rule is evaluated and enforced, so only your Role server derivation rule is being evaluated. As a test, if you swap the order of the rules, you will see that only the VLAN would be enforced. If you want to have both the VLAN and the Role changed, the best thing to do is to return an Aruba VSA from the Radius Server. With a VSA on the radius server you can send multiple attributes like a role and a VLAN at the same time. With server derivation rules, it only evaluates the first rule. A VSA would completely replace server derivation rules on the controller.
Which radius server do you have?
Please take a look at the Article here: http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-i-go-about-in-doing-Vlan-derivation-against-Microsoft/ta-p/184848
Thanks for sharing the link. I have sorted the issue by getting an idea from the link. It appears that it is working now and override server rules if attributes are provided from RADIUS server.
Thanks for your help.
It didn't solve the problem. I can still see two IPs from different vlan on the controller. I suspect that there is a bug in code version?
You would do this:
logging level debugging user-debug <mac address of device>
You would then connect and when you are done, type:
show log user-debug all
To reset a device's session so that you start from scratch, disconnect the device, then type:
aaa user delete mac <mac address>
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.