I am attempting to attach my wireless onboarding workflow to the wired convenience ports on the 205H APs that are in our student's dorm rooms. I actually had it working for about 6 weeks in March/April, but then I changed something on the AAA profile that they share and solved a longstanding problem on the wireless side, but the wired side stopped working. But even when I changed it back it remained broken, which is a puzzler.
My test setup is that I have an AP on my desk in group "Cleland" which has a cable plugged into port E3 on the bottom of the AP. (I get a great wireless signal that way, LOL.) This, like all my APs, lets wireless clients into SSID mcUsers. I then plug my laptop in with a wired ethernet dongle, and I get an IP address from DHCP, and my laptop acts like it's in the captive portal. I can connect to my cpg manage devices and add the MAC of my ethernet port, and in CPPM Access Tracker I can see the successful Application login when I do that. But then I can see the REJECT in CPPM Access Tracker when I try to shift over to full internet access. The Alerts on the REJECT are
Error Code: |
204
|
Error Category: |
Authentication failure
|
Error Message: |
Failed to classify request to service
|
|
If I go to my mcUsers MAC service and look at it,
Service: |
Name: |
MC - mcUsers MAC
|
Description: |
MAC-based Authentication Service
|
Type: |
MAC Authentication
|
Status: |
Enabled
|
Monitor Mode: |
Disabled
|
More Options: |
Authorization
|
Service Rule
Match ANY of the following conditions:
1. |
Radius:Aruba |
Aruba-Essid-Name |
EQUALS |
mcUsers |
|
|
|
Authentication: |
Authentication Methods: |
[Allow All MAC AUTH]
|
Authentication Sources: |
[Guest Device Repository] [Local SQL DB]
|
Strip Username Rules: |
-
|
|
|
|
|
Authorization: |
Authorization Details: |
[Guest Device Repository] [Local SQL DB]
|
|
|
|
Roles: |
Role Mapping Policy: |
mcUsers Role Mapping
|
|
|
|
|
|
|
Enforcement: |
Use Cached Results: |
Disabled
|
Enforcement Policy: |
MC - MAC Auth
|
|
|
|
I know that the problem with the request is that my setup isn't setting Aruba-Essid-Name to the Value of mcUsers. (I can throw in a quick hack and add a rule that says that if the NAS IP Address is one of my two addresses -- a condition that these sessions DO satisfy -- then the connection request is accepted. So I know that I'm getting to this ruleset.)
So how do I configure my AP wired port connections so that the connection requests arrive here with the Aruba-Essid-Name having the Value of mcUsers?
This is the definition of the mcUsers AAA profile: